From 1342228a51e36ff37e3d256fe18d9d04735ad1cc Mon Sep 17 00:00:00 2001 From: adlee-was-taken Date: Sat, 2 May 2026 16:25:21 -0400 Subject: [PATCH] docs(security): name relicario-server in device-auth section (audit F11/F12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - F12: Device Authentication section now names the relicario-server crate and its two subcommands (generate-hook, verify-commit), and notes that signed commits without the server-side hook provide authorship only — any pusher can still land an unsigned commit. - F11: drop the "optional before v0.4.0" version line (v0.4.0 was never tagged; v0.5.0 is the first release with the hook) and replace with a one-liner: registration is optional but recommended for shared vaults. Co-Authored-By: Claude Opus 4.7 --- docs/SECURITY.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/SECURITY.md b/docs/SECURITY.md index d99a64b..972375e 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -48,6 +48,19 @@ When enabled, device authentication provides: - **Push access control**: Deploy keys managed via Gitea API - **Instant revocation**: One command cuts off both signing and push +Enforcement requires deploying the `relicario-server` pre-receive hook +on the vault remote. The crate provides two subcommands: + +- `relicario-server generate-hook` — emits the hook script to install at + `/hooks/pre-receive` +- `relicario-server verify-commit ` — checks one commit's signature + against `.relicario/devices.json` and `.relicario/revoked.json` as of + that commit; the hook calls this for every pushed ref + +Without the server hook, signed commits provide authorship metadata only +— any process with push access can land an unsigned commit, since +verification is otherwise advisory. + See `docs/superpowers/specs/2026-05-02-device-authentication-design.md`. ## Access Control @@ -57,5 +70,4 @@ Without device authentication, access control is transport-layer only: - **CLI**: SSH key authentication to git remote - **Extension**: Git credentials in browser storage -Device registration was optional before v0.4.0. With device auth enabled, -all commits must be signed by a registered device. +Device registration is optional but recommended for shared vaults.