Spaces:

SmartHeal
/

Password-Manage

Sleeping

App Files Files Community

SmartHeal commited on Aug 15

Commit

8475ebb

verified ·

1 Parent(s): 5e3b27c

Update src/streamlit_app.py

Browse files

Files changed (1) hide show

src/streamlit_app.py +86 -656

src/streamlit_app.py CHANGED Viewed

@@ -1,669 +1,99 @@
-#!/usr/bin/env python3
-"""
-SmartPass — Streamlit Password Manager (Hugging Face Spaces–ready, uploads-enabled)
-• Zero-knowledge: Argon2id KDF → HKDF subkeys → AES-GCM per-item + HMAC integrity
-• Excel/CSV import (auto-maps common headers)
-• Quick Password Lookup (type a site/app and reveal password)
-• Writes to /data by default on Spaces; configurable via UPLOAD_DIR/TMPDIR env vars
-Run locally:
-  pip install streamlit cryptography argon2-cffi pandas openpyxl
-  streamlit run streamlit_app.py
-On Hugging Face Spaces (recommended flags):
-  STREAMLIT_SERVER_ENABLE_XSRF_PROTECTION=false
-  STREAMLIT_SERVER_ENABLE_CORS=false
-"""
-from __future__ import annotations
-import json
-import time
-import base64
-import secrets
-import os
-from pathlib import Path
-from dataclasses import dataclass, asdict
-from typing import List, Optional, Dict, Any
 import streamlit as st
-import pandas as pd  # Excel/CSV import
-# ---- Crypto deps ----
-from cryptography.hazmat.primitives.ciphers.aead import AESGCM
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
-from cryptography.hazmat.primitives.hmac import HMAC
-from cryptography.hazmat.backends import default_backend
-from argon2.low_level import hash_secret_raw, Type
-APP_TITLE = "SmartPass — Local, Zero‑Knowledge Password Manager"
-VERSION = 1
-# -------------------------- Uploads / temp dirs --------------------------
-# Detect Hugging Face Spaces and default to /data (writable). Allow env overrides.
-IS_HF = any(os.environ.get(k) for k in ("HUGGINGFACE_SPACE", "SPACE_ID", "HF_SPACE_ID"))
-DEFAULT_UPLOAD = "/data/uploads" if IS_HF else "./uploads"
-DEFAULT_TMP = "/data/tmp" if IS_HF else "./tmp"
-UPLOAD_DIR = Path(os.environ.get("UPLOAD_DIR", DEFAULT_UPLOAD)).resolve()
-TMP_DIR = Path(os.environ.get("TMPDIR", DEFAULT_TMP)).resolve()
-for p in (UPLOAD_DIR, TMP_DIR):
-    p.mkdir(parents=True, exist_ok=True)
-# -------------------------- Utility helpers --------------------------
-def safe_write_text(path: Path, text: str) -> Path:
-    """Write text to path, creating parents. If it fails (e.g., perms),
-    retry under TMP_DIR. Returns the final Path written."""
-    try:
-        path.parent.mkdir(parents=True, exist_ok=True)
-        path.write_text(text, encoding="utf-8")
-        return path
-    except Exception:
-        alt = TMP_DIR / path.name
-        alt.parent.mkdir(parents=True, exist_ok=True)
-        alt.write_text(text, encoding="utf-8")
-        return alt
-def b64e(b: bytes) -> str:
-    return base64.b64encode(b).decode("utf-8")
-def b64d(s: str) -> bytes:
-    return base64.b64decode(s.encode("utf-8"))
-def hkdf_expand(key_material: bytes, info: bytes, length: int = 32, salt: Optional[bytes] = None) -> bytes:
-    hkdf = HKDF(
-        algorithm=hashes.SHA256(),
-        length=length,
-        salt=salt,
-        info=info,
-        backend=default_backend(),
-    )
-    return hkdf.derive(key_material)
-# -------------------------- KDF & Keys --------------------------
-@dataclass
-class KDFParams:
-    algo: str = "argon2id"
-    salt_b64: str = ""
-    m_cost_kib: int = 131072  # 128 MiB
-    t_cost: int = 3
-    parallelism: int = 1
-    hash_len: int = 32
-    def to_dict(self):
-        return asdict(self)
-@dataclass
-class WrappedDataKey:
-    nonce_b64: str
-    ct_b64: str
-    def to_dict(self):
-        return asdict(self)
-@dataclass
-class VaultItem:
-    id: str
-    type: str  # "login" | "note"
-    enc_blob_b64: str
-    nonce_b64: str
-    created_at: float
-    updated_at: float
-    def to_dict(self):
-        return asdict(self)
-@dataclass
-class Vault:
-    version: int
-    kdf: KDFParams
-    data_key_wrapped: WrappedDataKey
-    items: List[VaultItem]
-    integrity_hmac_b64: str
-    def to_dict(self):
-        return {
-            "version": self.version,
-            "kdf": self.kdf.to_dict(),
-            "data_key_wrapped": self.data_key_wrapped.to_dict(),
-            "items": [it.to_dict() for it in self.items],
-            "integrity_hmac_b64": self.integrity_hmac_b64,
-        }
-# Argon2id derivation → 32B master key bytes
-def derive_master_key(password: str, kdf: KDFParams) -> bytes:
-    if kdf.algo != "argon2id":
-        raise ValueError("Unsupported KDF")
-    salt = b64d(kdf.salt_b64)
-    mk = hash_secret_raw(
-        secret=password.encode("utf-8"),
-        salt=salt,
-        time_cost=kdf.t_cost,
-        memory_cost=kdf.m_cost_kib,
-        parallelism=kdf.parallelism,
-        hash_len=kdf.hash_len,
-        type=Type.ID,
-    )
-    return mk
-# -------------------------- Encryption helpers --------------------------
-def aesgcm_encrypt(key: bytes, plaintext: bytes, aad: Optional[bytes] = None) -> Dict[str, str]:
-    aes = AESGCM(key)
-    nonce = secrets.token_bytes(12)
-    ct = aes.encrypt(nonce, plaintext, aad)
-    return {"nonce_b64": b64e(nonce), "ct_b64": b64e(ct)}
-def aesgcm_decrypt(key: bytes, nonce_b64: str, ct_b64: str, aad: Optional[bytes] = None) -> bytes:
-    aes = AESGCM(key)
-    return aes.decrypt(b64d(nonce_b64), b64d(ct_b64), aad)
-# -------------------------- Integrity (HMAC) --------------------------
-def canonical_vault_for_hmac(v: Dict[str, Any]) -> bytes:
-    tmp = dict(v)
-    tmp.pop("integrity_hmac_b64", None)
-    return json.dumps(tmp, sort_keys=True, separators=(",", ":")).encode("utf-8")
-def compute_hmac(mac_key: bytes, v_dict: Dict[str, Any]) -> str:
-    h = HMAC(mac_key, hashes.SHA256(), backend=default_backend())
-    h.update(canonical_vault_for_hmac(v_dict))
-    return b64e(h.finalize())
-def verify_hmac(mac_key: bytes, v_dict: Dict[str, Any]) -> bool:
-    try:
-        expected = v_dict.get("integrity_hmac_b64", "")
-        h = HMAC(mac_key, hashes.SHA256(), backend=default_backend())
-        h.update(canonical_vault_for_hmac(v_dict))
-        h.verify(b64d(expected))
-        return True
-    except Exception:
-        return False
-# -------------------------- Vault Ops --------------------------
-def new_vault(password: str) -> Vault:
-    kdf = KDFParams()
-    kdf.salt_b64 = b64e(secrets.token_bytes(16))
-    master_key = derive_master_key(password, kdf)
-    wrap_key = hkdf_expand(master_key, b"wrap-key")  # for wrapping data key
-    mac_key = hkdf_expand(master_key, b"vault-mac")  # for HMAC integrity
-    data_key = secrets.token_bytes(32)
-    wrapped = aesgcm_encrypt(wrap_key, data_key, aad=b"SmartPass:data-key")
-    vault = Vault(
-        version=VERSION,
-        kdf=kdf,
-        data_key_wrapped=WrappedDataKey(**wrapped),
-        items=[],
-        integrity_hmac_b64="",
-    )
-    vdict = vault.to_dict(); vdict["integrity_hmac_b64"] = ""
-    vault.integrity_hmac_b64 = compute_hmac(mac_key, vdict)
-    return vault
-def unlock_vault(vault_dict: Dict[str, Any], password: str) -> Dict[str, Any]:
-    kdfd = vault_dict["kdf"]
-    kdf = KDFParams(**kdfd) if isinstance(kdfd, dict) else kdfd
-    master_key = derive_master_key(password, kdf)
-    wrap_key = hkdf_expand(master_key, b"wrap-key")
-    mac_key = hkdf_expand(master_key, b"vault-mac")
-    if not verify_hmac(mac_key, vault_dict):
-        raise ValueError("Integrity check failed. The vault may be corrupted or the password is incorrect.")
-    w = vault_dict["data_key_wrapped"]
-    data_key = aesgcm_decrypt(wrap_key, w["nonce_b64"], w["ct_b64"], aad=b"SmartPass:data-key")
-    return {"data_key": data_key, "mac_key": mac_key}
-def re_hmac(vault_dict: Dict[str, Any], mac_key: bytes) -> None:
-    vault_dict["integrity_hmac_b64"] = ""
-    vault_dict["integrity_hmac_b64"] = compute_hmac(mac_key, vault_dict)
-# -------------------------- Item Ops --------------------------
-def encrypt_item(data_key: bytes, payload: Dict[str, Any]) -> VaultItem:
-    now = time.time()
-    enc = aesgcm_encrypt(data_key, json.dumps(payload).encode("utf-8"))
-    return VaultItem(
-        id=secrets.token_hex(8),
-        type=payload.get("type", "login"),
-        enc_blob_b64=enc["ct_b64"],
-        nonce_b64=enc["nonce_b64"],
-        created_at=now,
-        updated_at=now,
-    )
-def decrypt_item(data_key: bytes, it: VaultItem) -> Dict[str, Any]:
-    pt = aesgcm_decrypt(data_key, it.nonce_b64, it.enc_blob_b64)
-    return json.loads(pt.decode("utf-8"))
-def update_item(data_key: bytes, it: VaultItem, payload: Dict[str, Any]) -> VaultItem:
-    enc = aesgcm_encrypt(data_key, json.dumps(payload).encode("utf-8"))
-    it.enc_blob_b64 = enc["ct_b64"]
-    it.nonce_b64 = enc["nonce_b64"]
-    it.updated_at = time.time()
-    return it
-# -------------------------- Import helpers (Excel/CSV) --------------------------
-def _read_tabular(file_or_path) -> pd.DataFrame:
-    # Accept file-like or path
-    if hasattr(file_or_path, "read"):
-        try:
-            return pd.read_excel(file_or_path)
-        except Exception:
-            try:
-                file_or_path.seek(0)
-            except Exception:
-                pass
-            return pd.read_csv(file_or_path)
-    name = str(file_or_path).lower()
-    if name.endswith(".csv"):
-        return pd.read_csv(file_or_path)
-    return pd.read_excel(file_or_path)
-def _standardize_columns(df: pd.DataFrame) -> pd.DataFrame:
-    aliases = {
-        "name": ["name", "title", "site", "account"],
-        "username": ["username", "user", "login", "email"],
-        "url": ["url", "link", "website", "domain"],
-        "password": ["password", "pass", "pwd"],
-        "note": ["note", "notes", "remark", "remarks"],
-        "tags": ["tags", "label", "labels", "category", "categories"],
-        "type": ["type", "item_type"],
-    }
-    colmap: Dict[str, str] = {}
-    lower_cols = {c.lower().strip(): c for c in df.columns}
-    for target, alias_list in aliases.items():
-        for a in alias_list:
-            if a in lower_cols:
-                colmap[target] = lower_cols[a]
                 break
-    for col in ["name", "username", "url", "password", "note", "tags", "type"]:
         if col not in colmap:
             df[col] = ""
             colmap[col] = col
-    return (
-        df[[colmap[c] for c in ["name", "username", "url", "password", "note", "tags", "type"]]]
-        .rename(columns={colmap[c]: c for c in colmap})
-    )
-# -------------------------- Streamlit UI --------------------------
-st.set_page_config(page_title=APP_TITLE, page_icon="🔐", layout="wide")
-if "vault" not in st.session_state:
-    st.session_state.vault: Optional[Dict[str, Any]] = None
-if "unlocked" not in st.session_state:
-    st.session_state.unlocked = False
-if "keys" not in st.session_state:
-    st.session_state.keys = None  # {data_key, mac_key}
-if "last_active" not in st.session_state:
-    st.session_state.last_active = time.time()
-def touch():
-    st.session_state.last_active = time.time()
-def auto_lock(minutes: int):
-    if st.session_state.unlocked:
-        if time.time() - st.session_state.last_active > minutes * 60:
-            st.warning("Auto-locked due to inactivity.")
-            do_lock()
-def do_lock():
-    st.session_state.unlocked = False
-    st.session_state.keys = None
-    touch()
-# Sidebar: Create / Open / Lock / Export / Import
-with st.sidebar:
-    st.title("🔐 SmartPass")
-    st.caption(f"Uploads dir: {UPLOAD_DIR}")
-    # Auto-lock
-    lock_minutes = st.number_input("Auto-lock (minutes)", min_value=1, max_value=120, value=5)
-    if st.session_state.unlocked:
-        if st.button("Lock Now", use_container_width=True):
-            do_lock()
-        auto_lock(lock_minutes)
-    st.divider()
-    st.subheader("Open Vault")
-    up = st.file_uploader("Upload existing vault (.json)", type=["json"], accept_multiple_files=False)
-    password_open = st.text_input("Master password", type="password")
-    if st.button("Unlock", use_container_width=True):
-        if up is None:
-            st.error("Please upload a vault file.")
-        elif not password_open:
-            st.error("Please enter your master password.")
-        else:
-            try:
-                saved_vault_path = UPLOAD_DIR / (up.name or "uploaded_vault.json")
-                with open(saved_vault_path, "wb") as f:
-                    f.write(up.getbuffer())
-                vault_dict = json.loads(saved_vault_path.read_text(encoding="utf-8"))
-                keys = unlock_vault(vault_dict, password_open)
-                st.session_state.vault = vault_dict
-                st.session_state.keys = keys
-                st.session_state.unlocked = True
-                touch()
-                st.success(f"Vault unlocked. Saved copy: {saved_vault_path}")
-            except Exception as e:
-                st.session_state.unlocked = False
-                st.error(f"Failed to unlock: {e}")
-    st.divider()
-    st.subheader("Create New Vault")
-    new_pw = st.text_input("New master password", type="password")
-    new_pw2 = st.text_input("Confirm password", type="password")
-    with st.expander("Advanced KDF (Argon2id)"):
-        m_mib = st.slider("Memory (MiB)", 64, 512, 128, step=32)
-        t_cost = st.slider("Iterations", 1, 6, 3)
-        par = st.slider("Parallelism", 1, 4, 1)
-    if st.button("Create Vault", use_container_width=True):
-        if not new_pw:
-            st.error("Master password required.")
-        elif new_pw != new_pw2:
-            st.error("Passwords do not match.")
-        else:
-            v = new_vault(new_pw)
-            v.kdf.m_cost_kib = m_mib * 1024
-            v.kdf.t_cost = t_cost
-            v.kdf.parallelism = par
-            mk = derive_master_key(new_pw, v.kdf)
-            mac_key = hkdf_expand(mk, b"vault-mac")
-            vdict = v.to_dict(); vdict["integrity_hmac_b64"] = compute_hmac(mac_key, vdict)
-            st.session_state.vault = vdict
-            st.session_state.keys = unlock_vault(vdict, new_pw)
-            st.session_state.unlocked = True
-            # Persist the new vault to uploads (fallback to TMP if needed)
-            new_path = UPLOAD_DIR / "vault.smartpass.json"
-            _written = safe_write_text(new_path, json.dumps(vdict, separators=(",", ":")))
-            touch()
-            st.success(f"New vault created, unlocked, and saved at {_written}.")
-    st.divider()
-    st.subheader("Export / Backup")
-    if st.session_state.vault is not None:
-        export_json = json.dumps(st.session_state.vault, separators=(",", ":"))
-        st.download_button(
-            label="Download vault JSON",
-            data=export_json,
-            file_name="vault.smartpass.json",
-            mime="application/json",
-            use_container_width=True,
-        )
-        if st.button("Save vault to uploads/", use_container_width=True):
-            path = UPLOAD_DIR / "vault.smartpass.json"
-            final_path = safe_write_text(path, export_json)
-            st.success(f"Saved: {final_path}")
-    st.divider()
-    st.subheader("Import from Excel/CSV")
-    st.caption("Headers: name, username, url, password, note, tags, optional type (login/note). Aliases auto-mapped.")
-    imp = st.file_uploader("Upload creds file (.xlsx/.xls/.csv)", type=["xlsx","xls","csv"], accept_multiple_files=False, key="importer")
-    if imp is not None and st.session_state.unlocked:
-        try:
-            saved_creds_path = UPLOAD_DIR / (imp.name or "creds_upload.xlsx")
-            with open(saved_creds_path, "wb") as f:
-                f.write(imp.getbuffer())
-            df = _read_tabular(saved_creds_path)
-            df = _standardize_columns(df)
-            df['type'] = df['type'].fillna('').astype(str).str.lower().replace({'': 'login'})
-            added = 0
-            items_local: List[VaultItem] = [VaultItem(**it) for it in st.session_state.vault.get("items", [])]
-            for _, row in df.iterrows():
-                payload = {
-                    "type": (row.get('type') or 'login') if (row.get('type') in ['login','note']) else 'login',
-                    "name": str(row.get('name') or '').strip(),
-                    "username": str(row.get('username') or '').strip(),
-                    "url": str(row.get('url') or '').strip(),
-                    "password": str(row.get('password') or '').strip(),
-                    "note": str(row.get('note') or '').strip(),
-                    "tags": [t.strip() for t in str(row.get('tags') or '').split(',') if t.strip()],
-                }
-                if not any([payload['name'], payload['username'], payload['url'], payload['password'], payload['note'], payload['tags']]):
-                    continue
-                items_local.append(encrypt_item(st.session_state.keys["data_key"], payload))
-                added += 1
-            st.session_state.vault["items"] = [it.to_dict() for it in items_local]
-            re_hmac(st.session_state.vault, st.session_state.keys["mac_key"])
-            safe_write_text(UPLOAD_DIR / "vault.smartpass.json", json.dumps(st.session_state.vault, separators=(",", ":")))
-            st.success(f"Imported {added} item(s). Updated vault saved.")
-            st.experimental_rerun()
-        except Exception as e:
-            st.error(f"Import failed: {e}")
-# -------------------------- Main Area --------------------------
-st.title(APP_TITLE)
-if not st.session_state.unlocked:
-    st.info("Unlock or create a vault from the left sidebar to begin.")
-    st.stop()
-# Top actions
-col1, col2, col3, col4 = st.columns([3, 1, 1, 1])
-with col1:
-    q = st.text_input("Search (name / username / url / tags)", value="")
-with col2:
-    if st.button("Add Login"):
-        st.session_state["add_type"] = "login"
-with col3:
-    if st.button("Add Secure Note"):
-        st.session_state["add_type"] = "note"
-with col4:
-    if st.button("Lock"):
-        do_lock()
-        st.experimental_rerun()
-# Quick Password Lookup
-st.markdown("### 🔎 Quick Password Lookup")
-lookup = st.text_input("Which site/app? (e.g., gmail, netflix.com, bank)", key="quick_lookup")
-if lookup.strip():
-    LQ = lookup.strip().lower()
-    _matches = []
-    _items_all: List[VaultItem] = [VaultItem(**it) for it in st.session_state.vault.get("items", [])]
-    for _it in _items_all:
-        try:
-            _pl = decrypt_item(st.session_state.keys["data_key"], _it)
-        except Exception:
-            continue
-        _name = str(_pl.get("name", ""))
-        _user = str(_pl.get("username", ""))
-        _url  = str(_pl.get("url", ""))
-        _tags = ",".join(_pl.get("tags", []))
-        hay = " ".join([_name, _user, _url, _tags]).lower()
-        if LQ in hay:
-            _matches.append((_it, _pl))
-    if not _matches:
-        st.info("No matches found in your vault. If this account isn't stored here yet, import or add it first.")
-    else:
-        for _it, _pl in _matches[:10]:
-            with st.expander(f"{_pl.get('name') or '(unnamed)'} — {_pl.get('username','')}  [{_it.type}]"):
-                c1, c2 = st.columns([2, 1])
-                with c1:
-                    st.write(f"**URL:** {_pl.get('url','')}")
-                    show_pw = st.checkbox("Show password", key=f"show_{_it.id}")
-                    pw_val = _pl.get('password','') if _it.type == 'login' else ''
-                    st.text_input("Password", value=pw_val,
-                                  type=("default" if show_pw else "password"),
-                                  key=f"quick_pw_{_it.id}")
-                with c2:
-                    if st.button("Edit", key=f"quick_edit_{_it.id}"):
-                        st.session_state["edit_id"] = _it.id
-                        st.session_state["edit_payload"] = {
-                            **_pl,
-                            "type": _it.type,
-                            "name": _pl.get("name",""),
-                            "username": _pl.get("username",""),
-                            "url": _pl.get("url",""),
-                            "password": _pl.get("password",""),
-                            "note": _pl.get("note",""),
-                            "tags": ", ".join(_pl.get("tags", [])),
-                        }
-                        st.experimental_rerun()
-# Decrypt all for listing
-vault_dict = st.session_state.vault
-keys = st.session_state.keys
-items: List[VaultItem] = [VaultItem(**it) for it in vault_dict.get("items", [])]
-rows = []
-for it in items:
     try:
-        payload = decrypt_item(keys["data_key"], it)
-        rows.append({
-            "_id": it.id,
-            "type": it.type,
-            "name": payload.get("name", ""),
-            "username": payload.get("username", ""),
-            "url": payload.get("url", ""),
-            "password": payload.get("password", "") if it.type == "login" else "",
-            "note": payload.get("note", "") if it.type == "note" else "",
-            "tags": ", ".join(payload.get("tags", [])),
-            "updated": time.strftime('%Y-%m-%d %H:%M', time.localtime(it.updated_at)),
-        })
-    except Exception:
-        rows.append({"_id": it.id, "type": it.type, "name": "<decrypt error>", "username": "", "url": "", "password": "", "note": "", "tags": "", "updated": ""})
-# Filter main list
 if q.strip():
-    Q = q.lower()
-    rows = [r for r in rows if any(Q in (str(r[k]) or "").lower() for k in ["name", "username", "url", "tags", "note"]) ]
-st.caption(f"Items: {len(rows)}")
-# Render items
-for r in rows:
-    with st.expander(f"{r['name'] or '(unnamed)'} — {r['username']}  [{r['type']}]  • updated {r['updated']}"):
-        c1, c2 = st.columns([2, 1])
-        with c1:
-            st.write(f"**URL:** {r['url']}")
-            if r['type'] == 'login':
-                st.text_input("Password", value=r['password'], type="password", key=f"pw_{r['_id']}")
-            if r['type'] == 'note':
-                st.text_area("Note", value=r['note'], height=100, key=f"note_{r['_id']}")
-            st.write(f"**Tags:** {r['tags']}")
-        with c2:
-            if st.button("Edit", key=f"edit_{r['_id']}"):
-                st.session_state["edit_id"] = r['_id']
-                st.session_state["edit_payload"] = r
-            if st.button("Delete", key=f"del_{r['_id']}"):
-                items = [it for it in items if it.id != r['_id']]
-                vault_dict["items"] = [it.to_dict() for it in items]
-                re_hmac(vault_dict, keys["mac_key"])
-                safe_write_text(UPLOAD_DIR / "vault.smartpass.json", json.dumps(vault_dict, separators=(",", ":")))
-                st.session_state.vault = vault_dict
-                st.success("Deleted and saved.")
-                st.experimental_rerun()
-# Add / Edit modals
-if st.session_state.get("add_type"):
-    with st.modal("Add Item"):
-        add_type = st.session_state.get("add_type")
-        name = st.text_input("Name")
-        username = st.text_input("Username") if add_type == "login" else ""
-        url = st.text_input("URL") if add_type == "login" else ""
-        password = st.text_input("Password", type="password") if add_type == "login" else ""
-        note = st.text_area("Secure Note", height=120) if add_type == "note" else ""
-        tags = st.text_input("Tags (comma-separated)")
-        if st.button("Save"):
-            payload = {
-                "type": add_type,
-                "name": name,
-                "username": username,
-                "url": url,
-                "password": password,
-                "note": note,
-                "tags": [t.strip() for t in tags.split(",") if t.strip()],
-            }
-            new_item = encrypt_item(keys["data_key"], payload)
-            items.append(new_item)
-            vault_dict["items"] = [it.to_dict() for it in items]
-            re_hmac(vault_dict, keys["mac_key"])
-            safe_write_text(UPLOAD_DIR / "vault.smartpass.json", json.dumps(vault_dict, separators=(",", ":")))
-            st.session_state.vault = vault_dict
-            st.session_state["add_type"] = None
-            st.success("Item added and saved.")
-            st.experimental_rerun()
-        if st.button("Cancel"):
-            st.session_state["add_type"] = None
-if st.session_state.get("edit_id"):
-    with st.modal("Edit Item"):
-        eid = st.session_state.get("edit_id")
-        original = next((it for it in items if it.id == eid), None)
-        payload = st.session_state.get("edit_payload", {})
-        etype = payload.get("type", "login")
-        name = st.text_input("Name", value=payload.get("name", ""))
-        username = st.text_input("Username", value=payload.get("username", "")) if etype == "login" else ""
-        url = st.text_input("URL", value=payload.get("url", "")) if etype == "login" else ""
-        password = st.text_input("Password", value=payload.get("password", ""), type="password") if etype == "login" else ""
-        note = st.text_area("Secure Note", value=payload.get("note", ""), height=120) if etype == "note" else ""
-        tags = st.text_input("Tags (comma-separated)", value=payload.get("tags", ""))
-        if st.button("Save Changes"):
-            new_payload = {
-                "type": etype,
-                "name": name,
-                "username": username,
-                "url": url,
-                "password": password,
-                "note": note,
-                "tags": [t.strip() for t in tags.split(",") if t.strip()],
-            }
-            updated = update_item(keys["data_key"], original, new_payload)
-            items = [updated if it.id == eid else it for it in items]
-            vault_dict["items"] = [it.to_dict() for it in items]
-            re_hmac(vault_dict, keys["mac_key"])
-            safe_write_text(UPLOAD_DIR / "vault.smartpass.json", json.dumps(vault_dict, separators=(",", ":")))
-            st.session_state.vault = vault_dict
-            st.session_state["edit_id"] = None
-            st.success("Updated and saved.")
-            st.experimental_rerun()
-        if st.button("Cancel"):
-            st.session_state["edit_id"] = None
-# Security notes
-with st.expander("Security Notes & Tips"):
     st.markdown(
-        f"""
-- **All crypto is local.** The vault JSON contains only ciphertext + metadata.
-- **Uploads dir:** `{UPLOAD_DIR}` (configurable via `UPLOAD_DIR`). Vault and imported files are saved here.
-- **Zero-knowledge:** The app never stores your master password; derivation happens in memory.
-- **Integrity:** Vault includes an HMAC to detect tampering/corruption.
-- **KDF tuning:** If your device is slow, reduce Argon2 memory/iterations in the sidebar.
-- **Backups:** Keep copies of your exported vault JSON in safe places.
         """
     )

 import streamlit as st
+import pandas as pd
+st.set_page_config(page_title="Simple Password Lookup", page_icon="🔎", layout="centered")
+st.title("🔎 Simple Password Lookup")
+st.caption("Upload your Excel/CSV once → search by platform or username → reveal password.")
+# ---------------- Helpers ----------------
+ALIASES = {
+    "name": ["name", "title", "site", "account", "platform", "service", "app"],
+    "username": ["username", "user", "login", "email", "userid", "id"],
+    "url": ["url", "link", "website", "domain"],
+    "password": ["password", "pass", "pwd", "secret"],
+    "note": ["note", "notes", "remark", "remarks"],
+}
+EXPECTED = ["name", "username", "url", "password", "note"]
+def standardize_columns(df: pd.DataFrame) -> pd.DataFrame:
+    # Normalize input headers to lowercase strings
+    df.columns = [str(c).strip().lower() for c in df.columns]
+    colmap = {}
+    # map aliases
+    for target, alias_list in ALIASES.items():
+        for c in df.columns:
+            if c in alias_list:
+                colmap[target] = c
                 break
+    # ensure all expected exist
+    for col in EXPECTED:
         if col not in colmap:
             df[col] = ""
             colmap[col] = col
+    out = df[[colmap[c] for c in EXPECTED]].rename(columns={colmap[c]: c for c in colmap})
+    # sanitize to strings
+    for c in EXPECTED:
+        out[c] = out[c].astype(str).fillna("")
+    # drop fully empty rows
+    mask = (out["name"].str.strip() != "") | (out["username"].str.strip() != "") | (out["url"].str.strip() != "") | (out["password"].str.strip() != "")
+    return out[mask].reset_index(drop=True)
+def read_any(file) -> pd.DataFrame:
+    name = (file.name or "").lower()
+    if name.endswith(".csv"):
+        return pd.read_csv(file)
+    return pd.read_excel(file)
+# ---------------- Upload once ----------------
+if "creds" not in st.session_state:
+    st.subheader("1) Upload your Excel/CSV")
+    up = st.file_uploader("Choose file", type=["xlsx", "xls", "csv"], accept_multiple_files=False)
+    if up is None:
+        st.stop()
     try:
+        df = read_any(up)
+        df = standardize_columns(df)
+        st.session_state.creds = df
+        st.success(f"Loaded {len(df)} entries.")
+    except Exception as e:
+        st.error(f"Failed to read file: {e}")
+        st.stop()
+# ---------------- Search ----------------
+st.subheader("2) Find your password")
+q = st.text_input("Search by platform/site/username", placeholder="e.g., netflix, gmail.com, your@email.com")
 if q.strip():
+    Q = q.lower().strip()
+    df = st.session_state.creds
+    mask = (
+        df["name"].str.lower().str.contains(Q)
+        | df["username"].str.lower().str.contains(Q)
+        | df["url"].str.lower().str.contains(Q)
+    )
+    results = df[mask]
+    if results.empty:
+        st.warning("No matches. Try another keyword or check your file headers.")
+    else:
+        st.caption(f"Matches: {len(results)} (showing up to 50)")
+        for idx, row in results.head(50).iterrows():
+            title = row['name'] or row['username'] or row['url']
+            with st.expander(f"{title} — {row['username']} | {row['url']}"):
+                show = st.checkbox("Show password", key=f"show_{idx}")
+                st.text_input("Password", value=row["password"], type=("default" if show else "password"), key=f"pw_{idx}")
+                if str(row.get("note", "")).strip():
+                    st.caption("Note: " + str(row["note"]))
+else:
+    st.caption("Type a keyword above to search.")
+# ---------------- Tips ----------------
+with st.expander("Tips"):
     st.markdown(
+        """
+- Required columns (case-insensitive, aliases ok): name, username, url, password. Optional: note.
+- Data is kept only **in memory** for this session. Re-upload if the app restarts.
+- For large files, use CSV for faster upload.
         """
     )