chore: merge rename commit into Plan 1B branch

Resolves conflicts from merging origin/main (idfoto→relicario rename):
- Kept Plan 1A's typed-item vault.rs, lib.rs, integration.rs over main's
  old entry-based versions
- Took main's relicario_dir() fix in CLI main.rs (sed had missed idfoto_dir)
- Kept Plan 1A's UnsupportedFormatVersion error variant in crypto.rs
- Kept Plan 1A's opaque Decrypt message (audit M4) in error.rs
- Deleted entry.rs (replaced by item.rs + typed modules in Plan 1A)
- Resolved Cargo.toml description to main's "relicario password manager"

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/relicario-core/Cargo.toml

@@ -2,7 +2,7 @@
 name = "relicario-core"
 version = "0.1.0"
 edition = "2021"
-description = "Core library for idfoto password manager"
+description = "Core library for relicario password manager"
 
 [dependencies]
 thiserror = "2"
@@ -25,3 +25,4 @@ hex = "0.4"
 url = { version = "2", features = ["serde"] }
 getrandom = "0.2"
 
+[dev-dependencies]

crates/relicario-core/src/crypto.rs

@@ -298,7 +298,7 @@ mod tests {
     #[test]
     fn encrypt_decrypt_round_trip() {
         let key = [0xABu8; 32];
-        let plaintext = b"hello, idfoto!";
+        let plaintext = b"hello, relicario!";
 
         let ciphertext = encrypt(&key, plaintext).unwrap();
         let decrypted = decrypt(&key, &ciphertext).unwrap();

crates/relicario-core/src/error.rs

@@ -14,9 +14,14 @@ use thiserror::Error;
 /// steganography -> serialization -> device keys.
 #[derive(Debug, Error)]
 pub enum RelicarioError {
+    /// The Argon2id key derivation failed. This typically means invalid KDF
+    /// parameters were supplied (e.g., memory cost below Argon2's minimum).
     #[error("key derivation failed: {0}")]
     Kdf(String),
 
+    /// XChaCha20-Poly1305 encryption failed. In practice this is extremely rare
+    /// -- the only realistic cause is an internal library error, since the cipher
+    /// accepts arbitrary-length plaintext.
     #[error("encryption failed: {0}")]
     Encrypt(String),
 
@@ -24,6 +29,10 @@ pub enum RelicarioError {
     #[error("decryption failed")]
     Decrypt,
 
+    /// The binary ciphertext blob does not match the expected format (e.g.,
+    /// too short to contain the version byte + nonce + tag, or an unrecognized
+    /// version byte). This usually indicates file corruption or a version
+    /// mismatch between the writer and reader.
     #[error("invalid vault format: {0}")]
     Format(String),
 
@@ -42,9 +51,15 @@ pub enum RelicarioError {
     #[error("attachment too large: {size} bytes > {max} bytes max")]
     AttachmentTooLarge { size: u64, max: u64 },
 
+    /// A general error from the image steganography subsystem (imgsecret).
+    /// Covers issues like failing to decode the carrier JPEG or failing to
+    /// encode the output JPEG after modification.
     #[error("imgsecret: {0}")]
     ImgSecret(String),
 
+    /// The carrier image is too small to hold the embedded secret with
+    /// sufficient redundancy. The embed region (central 70% of the image)
+    /// must contain at least `BLOCKS_PER_COPY * MIN_COPIES` 8x8 blocks.
     #[error("image too small: need at least {min_width}x{min_height}, got {actual_width}x{actual_height}")]
     ImageTooSmall {
         min_width: u32,
@@ -53,12 +68,22 @@ pub enum RelicarioError {
         actual_height: u32,
     },
 
+    /// Secret extraction from a JPEG failed. This can mean:
+    /// - The image never had a secret embedded in it.
+    /// - The image was recompressed below Q85, destroying the QIM watermarks.
+    /// - The image was cropped beyond the 15% crumple zone.
+    /// - Majority-vote confidence fell below the 60% threshold on one or more bits.
     #[error("extraction failed: no valid secret found in image")]
     ExtractionFailed,
 
+    /// JSON serialization or deserialization of an entry or manifest failed.
+    /// Wraps [`serde_json::Error`] transparently via `#[from]`.
     #[error("json error: {0}")]
     Json(#[from] serde_json::Error),
 
+    /// An error related to device ed25519 key operations. Device keys are
+    /// separate from the vault KDF -- revoking a device does not require
+    /// rotating the passphrase or reference image.
     #[error("device key error: {0}")]
     DeviceKey(String),
 }

crates/relicario-core/src/imgsecret.rs

@@ -1,6 +1,6 @@
 //! DCT-based steganographic embedding of a 256-bit secret in JPEG images.
 //!
-//! This is the novel component of idfoto. It hides a 32-byte secret inside a
+//! This is the novel component of relicario. It hides a 32-byte secret inside a
 //! JPEG image's luminance channel using Quantization Index Modulation (QIM) on
 //! mid-frequency DCT coefficients, with majority voting across multiple redundant
 //! copies for robustness.

crates/relicario-core/src/lib.rs

@@ -1,6 +1,6 @@
 //! # relicario-core
 //!
-//! Platform-agnostic core library for the idfoto password manager.
+//! Platform-agnostic core library for the relicario password manager.
 //!
 //! This crate is intentionally **bytes-in/bytes-out** -- it performs no filesystem
 //! access, no network I/O, and no git operations. All inputs arrive as byte slices