docs(org): complete A5 living-docs sweep (item CRUD merged) + dead_code cleanup

Extends the A5 pre-stage now that dev-b's full B-stream (item CRUD + all 19 org subcommands) merged to main (7392795). Living docs: - FORMATS/CRYPTO/SECURITY/DESIGN: flip the item-CRUD "pending Dev-B" markers to shipped; SECURITY audit vocabulary moves item-* actions to live. - crates/relicario-cli/ARCHITECTURE.md: full 19-subcommand surface (12 admin + 7 item CRUD), accurate OrgAddKind scope (Login/SecureNote/Identity). - STATUS.md: enterprise-org-vault landed section (merged 7392795) + tracked follow-ups + honest known-limitations; correct spec citation. - ROADMAP.md: backend-complete row + phase-2 follow-ups. - CHANGELOG.md: finalize the enterprise-org-vault Unreleased section (item CRUD into Added; Card/Key/Document/Totp + extension + phase-2 into Deferred). Code (PM-directed dead_code fixes): wire device::current_device_seed by removing the identical duplicate private fn in org_session.rs (de-dup); #[allow(dead_code)] + justification on org_session org_meta_path/load_meta (API completeness, no command consumes org.json yet). Also silence a 3rd pre-existing test-only warning (unused relicario() helper in tests/org_init_signing.rs). Honest deferrals kept explicit throughout: Card/Key/Document/Totp org add/edit parity, extension org switch/read (Dev-D) + writes, phase-2 (SSO/LDAP, read audit, per-collection subkeys, HTTP plane). Full workspace cargo test green, zero warnings. All cited code constants pinned file:line. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy
2026-06-20 15:54:51 -04:00
parent 8bb1d779c4
commit 0cd417ded7
10 changed files with 123 additions and 66 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,14 +1,12 @@
 # Changelog

-## Unreleased — enterprise org vault (in progress)
+## Unreleased — enterprise org vault

 Git-native multi-user **org vaults**: a separate org git repository alongside each
 member's personal vault, with a 256-bit org master key ECIES-wrapped per member to
 their ed25519 device key, collection-scoped item storage, role-based access, and a
-signature-verifying pre-receive hook that makes least-privilege server-enforced.
-Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`. Entries
-below cover the **already-merged** core (A) + server (C) + CLI admin work; item CRUD
-and extension parity land subsequently.
+signature-verifying pre-receive hook that makes least-privilege enforcement
+server-side. Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`.

 ### Added
 - **relicario-core `org` module** (`crates/relicario-core/src/org.rs`): org types
@@ -17,22 +15,39 @@ and extension parity land subsequently.
  key wrap/unwrap (`generate_org_key`, `wrap_org_key`, `unwrap_org_key`) — ed25519→
  X25519 via RFC 7748 clamp, domain-separated `SHA-256(dh || eph_pk || rcpt_pk)` KDF,
  XChaCha20-Poly1305 inner cipher, all key material in `Zeroizing`. Adds
-  `encrypt_org_manifest` / `decrypt_org_manifest` vault wrappers. New dependency
-  `x25519-dalek 2` (`static_secrets`).
- **relicario-server org mode**: `verify-org-commit` (signature verification against
-  `members.json`, path-scoped role/grant authorization, owner-only elevation judged
-  on the signer's pre-commit role, schema-version monotonicity) and
-  `generate-org-hook`; new `[lib]` target (`classify_path`, `extract_schema_version`).
+  `encrypt_org_manifest` / `decrypt_org_manifest` vault wrappers. New dependencies:
+  `x25519-dalek 2` (`static_secrets`) in core, `ssh-key 0.6` in core and CLI.
+- **relicario-server org mode**: `verify-org-commit` (commit-signature verification
+  against `members.json` ed25519 keys, path-scoped role/grant authorization,
+  owner-only elevation judged on the signer's pre-commit role, schema-version
+  monotonicity) and `generate-org-hook`; new `[lib]` target (`classify_path`,
+  `extract_schema_version`). Audit trail on every push carries verified-signer
+  attribution; commits whose signer cannot be matched are flagged `TAMPERED`.
 - **relicario-cli org admin commands**: `org init`, `add-member` / `remove-member` /
  `set-role` (owner-only escalation guard), `create-collection` / `grant` / `revoke`,
-  `rotate-key` (re-encrypts every item blob + manifest under a fresh key),
-  `status` / `audit` (verified-signer attribution + `TAMPERED` flag). Org commits are
-  signed (`org_git_run` preserves signing). New `ssh-key` dependency in the CLI.
+  `rotate-key` (re-encrypts every item blob + manifest under a fresh org key),
+  `transfer-ownership`, `delete-org` (local tombstone; hook blocks pushing a
+  protected-file deletion), `status` / `audit`. Org commits are signed
+  (`org_git_run` preserves signing).
+- **relicario-cli org item CRUD**: `org add` (Login, SecureNote, Identity — each
+  collection-scoped and grant-enforced), `org get <query> [--show]` (secrets masked
+  by default; renders Login/SecureNote/Identity/Card/Document/Totp), `org list
+  [--trashed]` (manifest filtered to your collection grants), `org edit <query>`
+  (flag-driven field updates for login/note/identity fields), `org rm` / `org restore`
+  / `org purge` (soft-delete lifecycle). Audit actions emitted: `item-create`,
+  `item-update`, `item-delete`, `item-restore`, `item-purge`.

-### TODO (pending merge)
- CLI item CRUD: `org add` / `get` / `list` / `edit` / `rm` / `restore` / `purge`,
-  and the final `Commands::Org` wiring in `main.rs` (Dev-B B9–B14).
+### Deferred
+- `org add` / `org edit` parity for Card, SshKey, Document, and Totp item types
+  (only Login, SecureNote, Identity supported today; `org get` and `org list` can
+  display all types already present in the vault).
 - Extension org switch + read-only browse parity (Dev-D follow-up).
+- Extension org writes.
+- Phase-2 features: SSO/LDAP provisioning, read audit trail, per-collection subkeys
+  (the current shared org master key scopes *writes* via the hook and *read access*
+  via manifest filtering, but does not cryptographically isolate collections from one
+  another — a member who obtains the org key can decrypt any blob), HTTP management
+  plane.

 ## v0.7.0 — 2026-06-01