alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

fix(cli): cfg-gate RELICARIO_NO_GROUPS_CACHE to debug builds (audit S3)

Browse Source 
The groups-cache opt-out is a developer debugging knob, not a
user-facing config. Gating the env-var lookup behind cfg!(debug_assertions)
makes release builds ignore the variable; the optimiser removes the
lookup entirely, so the variable name doesn't appear in release binary
strings output.

Doc-comments updated to reflect the new behaviour.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
2026-05-02 18:51:15 -04:00
parent 95d1ff833c
commit 006e67c361
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
crates/relicario-cli/src/helpers.rs
View File

@@ -88,19 +88,21 @@ fn plural(n: i64) -> &'static str { if n == 1 { "" } else { "s" } }
/// ///
/// **Plaintext leak:** group names land on disk in cleartext alongside the /// **Plaintext leak:** group names land on disk in cleartext alongside the
/// vault directory. This is intentional — the file feeds shell completion, /// vault directory. This is intentional — the file feeds shell completion,
/// which cannot prompt for a passphrase. Set `RELICARIO_NO_GROUPS_CACHE=1` /// which cannot prompt for a passphrase. In debug builds, set
/// to suppress the write. /// `RELICARIO_NO_GROUPS_CACHE=1` to suppress the write.
pub fn groups_cache_path(vault_dir: &Path) -> PathBuf { pub fn groups_cache_path(vault_dir: &Path) -> PathBuf {
vault_dir.join(".relicario").join("groups.cache") vault_dir.join(".relicario").join("groups.cache")
} }
/// Write the sorted set of group names to `<vault_dir>/.relicario/groups.cache`, /// Write the sorted set of group names to `<vault_dir>/.relicario/groups.cache`,
/// one name per line. A no-op if `RELICARIO_NO_GROUPS_CACHE` is set. /// one name per line. In debug builds, setting `RELICARIO_NO_GROUPS_CACHE`
/// suppresses the write (developer debugging tool). In release builds the env
/// var is ignored.
pub fn write_groups_cache( pub fn write_groups_cache(
vault_dir: &Path, vault_dir: &Path,
groups: &std::collections::BTreeSet<String>, groups: &std::collections::BTreeSet<String>,
) -> std::io::Result<()> { ) -> std::io::Result<()> {
if std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() { if cfg!(debug_assertions) && std::env::var_os("RELICARIO_NO_GROUPS_CACHE").is_some() {
return Ok(()); return Ok(());
} }
let path = groups_cache_path(vault_dir); let path = groups_cache_path(vault_dir);

2
crates/relicario-cli/src/main.rs
View File

@@ -170,7 +170,7 @@ enum Commands {
/// ///
/// For `--group <TAB>` autocomplete, the bash/zsh/fish scripts read /// For `--group <TAB>` autocomplete, the bash/zsh/fish scripts read
/// the plaintext `${RELICARIO_VAULT}/.relicario/groups.cache` file, /// the plaintext `${RELICARIO_VAULT}/.relicario/groups.cache` file,
/// which the CLI refreshes on every manifest read. Set /// which the CLI refreshes on every manifest read. In debug builds, set
/// `RELICARIO_NO_GROUPS_CACHE=1` to opt out of the cache (completion /// `RELICARIO_NO_GROUPS_CACHE=1` to opt out of the cache (completion
/// will fall back to no value enumeration). /// will fall back to no value enumeration).
/// ///