diff --git a/crates/relicario-cli/src/helpers.rs b/crates/relicario-cli/src/helpers.rs index 5bc36a0..6991ea4 100644 --- a/crates/relicario-cli/src/helpers.rs +++ b/crates/relicario-cli/src/helpers.rs @@ -88,19 +88,21 @@ fn plural(n: i64) -> &'static str { if n == 1 { "" } else { "s" } } /// /// **Plaintext leak:** group names land on disk in cleartext alongside the /// vault directory. This is intentional — the file feeds shell completion, -/// which cannot prompt for a passphrase. Set `RELICARIO_NO_GROUPS_CACHE=1` -/// to suppress the write. +/// which cannot prompt for a passphrase. In debug builds, set +/// `RELICARIO_NO_GROUPS_CACHE=1` to suppress the write. pub fn groups_cache_path(vault_dir: &Path) -> PathBuf { vault_dir.join(".relicario").join("groups.cache") } /// Write the sorted set of group names to `/.relicario/groups.cache`, -/// one name per line. A no-op if `RELICARIO_NO_GROUPS_CACHE` is set. +/// one name per line. In debug builds, setting `RELICARIO_NO_GROUPS_CACHE` +/// suppresses the write (developer debugging tool). In release builds the env +/// var is ignored. pub fn write_groups_cache( vault_dir: &Path, groups: &std::collections::BTreeSet, ) -> std::io::Result<()> { - if std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() { + if cfg!(debug_assertions) && std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() { return Ok(()); } let path = groups_cache_path(vault_dir); diff --git a/crates/relicario-cli/src/main.rs b/crates/relicario-cli/src/main.rs index 3c4029a..438db21 100644 --- a/crates/relicario-cli/src/main.rs +++ b/crates/relicario-cli/src/main.rs @@ -170,7 +170,7 @@ enum Commands { /// /// For `--group ` autocomplete, the bash/zsh/fish scripts read /// the plaintext `${RELICARIO_VAULT}/.relicario/groups.cache` file, - /// which the CLI refreshes on every manifest read. Set + /// which the CLI refreshes on every manifest read. In debug builds, set /// `RELICARIO_NO_GROUPS_CACHE=1` to opt out of the cache (completion /// will fall back to no value enumeration). ///