From 006e67c36104b5a71bbdf5fb40a6636b0f0645aa Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Sat, 2 May 2026 18:51:15 -0400
Subject: [PATCH] fix(cli): cfg-gate RELICARIO_NO_GROUPS_CACHE to debug builds
 (audit S3)

The groups-cache opt-out is a developer debugging knob, not a
user-facing config. Gating the env-var lookup behind cfg!(debug_assertions)
makes release builds ignore the variable; the optimiser removes the
lookup entirely, so the variable name doesn't appear in release binary
strings output.

Doc-comments updated to reflect the new behaviour.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 crates/relicario-cli/src/helpers.rs | 10 ++++++----
 crates/relicario-cli/src/main.rs    |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/crates/relicario-cli/src/helpers.rs b/crates/relicario-cli/src/helpers.rs
index 5bc36a0..6991ea4 100644
--- a/crates/relicario-cli/src/helpers.rs
+++ b/crates/relicario-cli/src/helpers.rs
@@ -88,19 +88,21 @@ fn plural(n: i64) -> &'static str { if n == 1 { "" } else { "s" } }
 ///
 /// **Plaintext leak:** group names land on disk in cleartext alongside the
 /// vault directory. This is intentional — the file feeds shell completion,
-/// which cannot prompt for a passphrase. Set `RELICARIO_NO_GROUPS_CACHE=1`
-/// to suppress the write.
+/// which cannot prompt for a passphrase. In debug builds, set
+/// `RELICARIO_NO_GROUPS_CACHE=1` to suppress the write.
 pub fn groups_cache_path(vault_dir: &Path) -> PathBuf {
     vault_dir.join(".relicario").join("groups.cache")
 }
 
 /// Write the sorted set of group names to `<vault_dir>/.relicario/groups.cache`,
-/// one name per line.  A no-op if `RELICARIO_NO_GROUPS_CACHE` is set.
+/// one name per line. In debug builds, setting `RELICARIO_NO_GROUPS_CACHE`
+/// suppresses the write (developer debugging tool). In release builds the env
+/// var is ignored.
 pub fn write_groups_cache(
     vault_dir: &Path,
     groups: &std::collections::BTreeSet<String>,
 ) -> std::io::Result<()> {
-    if std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() {
+    if cfg!(debug_assertions) && std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() {
         return Ok(());
     }
     let path = groups_cache_path(vault_dir);
diff --git a/crates/relicario-cli/src/main.rs b/crates/relicario-cli/src/main.rs
index 3c4029a..438db21 100644
--- a/crates/relicario-cli/src/main.rs
+++ b/crates/relicario-cli/src/main.rs
@@ -170,7 +170,7 @@ enum Commands {
     ///
     /// For `--group <TAB>` autocomplete, the bash/zsh/fish scripts read
     /// the plaintext `${RELICARIO_VAULT}/.relicario/groups.cache` file,
-    /// which the CLI refreshes on every manifest read. Set
+    /// which the CLI refreshes on every manifest read. In debug builds, set
     /// `RELICARIO_NO_GROUPS_CACHE=1` to opt out of the cache (completion
     /// will fall back to no value enumeration).
     ///