docs: record v0.9.0 org-write spike decision + device-key prereq (PM)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
This commit is contained in:
adlee-was-taken
2026-06-26 00:39:54 -04:00
parent 79284979c1
commit 13512ed9bf
2 changed files with 26 additions and 1 deletions

View File

@@ -30,6 +30,16 @@ Therefore org **write** from the extension must construct and push a **signed co
The spike result is recorded back into this spec and `STATUS.md` before A3 build work starts.
### Spike result + transport decision (resolved 2026-06-25)
The spike (Dev-C, commit `426b82a`; evidence in `docs/superpowers/spikes/2026-06-20-org-signed-commit-spike.md`) returned **GO on the signature mechanism**: a SW-built SSHSIG commit (raw `sign_for_git` + manual SSHSIG framing — **no new WASM export**) passes both `git verify-commit` and `relicario-server verify-org-commit`, including the item+manifest dual-write with grant/slug authz. The hook matches the **signing-key fingerprint → `members[].ed25519_pubkey`** (committer/author text is free-form, not checked — this corrects the "committer identity must match" assumption).
**Transport finding (corrects this section's planned approach):** the GitHub-style Git Data API path is **GitHub-only**. Research (vs Gitea 1.26.4 / roadmap / the `repo_file.go` structs / open issues #30955, #22100) confirms **no Gitea version exposes a write Git Data API or accepts a caller-supplied commit signature** (the Contents API signs with the instance key or not at all), and none is planned. So A3 does **not** use the host REST API. Org write ships via **native `git-receive-pack` packfile push (isomorphic-git in the SW)** — host-agnostic, works at any Gitea version, preserves the SSHSIG byte-for-byte; the extension's `host_permissions` removes the usual CORS-proxy requirement. This becomes the **single universal write path for both Gitea and GitHub** (~68KB gzip dependency).
**Decision (user, 2026-06-25): build the universal packfile-push write path now, in v0.9.0** — not the deferred fallback. A3 (Plan C) is re-scoped: a small SSHSIG-through-isomorphic-git mini-spike, then the universal `commitSigned`, then the write handlers + UI (held until A0A2 land). A focused `/security-review` on the push path is mandatory before merge.
**Latent bug noted (separate follow-up):** `extension/src/service-worker/gitea.ts` `putBlob` calls nonexistent Gitea `/git` write endpoints — large attachments would 404 on a Gitea host (pre-existing ~v0.8.2).
## Architecture
An org vault is a second git repo alongside the personal vault, cryptographically isolated (org spec § Architecture). The org master key is a random 256-bit key, wrapped per member via ECIES (X25519 + XChaCha20-Poly1305) to their device ed25519 key. The extension mirrors the CLI: unwrap the org key with the device private key, decrypt items exactly as the personal vault does — but with the org key, not the Argon2id-derived personal key.