diff --git a/FORMATS.md b/FORMATS.md index 1cae632..94d6373 100644 --- a/FORMATS.md +++ b/FORMATS.md @@ -45,7 +45,7 @@ Parsed via `ParamsFile { kdf: KdfParams }` in `session.rs`. The `kdf` nesting is Decrypts to JSON matching the `Manifest` struct (`manifest.rs`). - **Schema version:** `MANIFEST_SCHEMA_VERSION = 2` (`manifest.rs:12`). v1 manifests (pre-typed-items) fail to parse and are not supported. -- **`ManifestEntry` fields:** `id`, `title`, `tags`, `favorite`, `group`, `icon_hint`, `modified`, `trashed_at`, `attachment_summaries`. +- **`ManifestEntry` fields** (declared order in `manifest.rs:21-38`): `id`, `type`, `title`, `tags`, `favorite`, `group`, `icon_hint`, `modified`, `trashed_at`, `attachment_summaries`. The `type` field is `r#type: ItemType` in Rust but serializes as the bare JSON key `"type"` (no serde rename — `r#` is just the raw-identifier escape). `group`, `icon_hint`, and `trashed_at` are `#[serde(skip_serializing_if = "Option::is_none")]`; `tags`, `favorite`, and `attachment_summaries` use `#[serde(default)]`. - The manifest is rebuilt from scratch on every `upsert` — it can never drift from the source-of-truth item files. - Supports case-insensitive title/tag search without decrypting any item. @@ -75,9 +75,9 @@ Commits by `public_key` at or after `revoked_at` (Unix seconds) are rejected by |---|---|---|---| | `ItemId` | 16 hex chars | 64 bits | `OsRng` | | `FieldId` | 16 hex chars | 64 bits | `OsRng` | -| `AttachmentId` | 16 hex chars | content-addressed | first 8 bytes of `SHA-256(plaintext)` | +| `AttachmentId` | 32 hex chars | 128 bits | first 16 bytes (32 hex chars) of `SHA-256` over the plaintext | -`AttachmentId` is content-addressed — identical plaintexts deduplicate in git automatically. +`AttachmentId` is content-addressed — identical plaintexts deduplicate in git automatically. The 128-bit truncation (`ids.rs:59-69`) was widened from 64 bits per audit I2/B4 to put birthday-collision risk out of reach. ## `.relbak` backup format diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md index f5d67a7..b972fb5 100644 --- a/docs/ARCHITECTURE.md +++ b/docs/ARCHITECTURE.md @@ -161,11 +161,14 @@ master_key ────────►│ XChaCha20 │────── │ selected block: │ │ │ │ QIM embed bits │ - │ in positions │ - │ 4-15 (mid-freq) │ + │ in zig-zag │ + │ positions 6-17 │ + │ (mid-frequency) │ │ │ │ Repeat secret │ - │ 20+ times │ + │ MIN_COPIES (5) │ + │ to 50 times, │ + │ by capacity │ └────────┬─────────┘ │ ▼ @@ -181,6 +184,8 @@ master_key ────────►│ XChaCha20 │────── carries 256-bit secret) ``` +The redundancy count is chosen at embed time based on available DCT capacity: `num_copies = (total_blocks / BLOCKS_PER_COPY).min(50)`, with `BLOCKS_PER_COPY = 22` and a floor of `MIN_COPIES = 5` (`crates/relicario-core/src/imgsecret.rs:78,530-537`). Images that cannot fit at least 5 copies are rejected before embed. Majority voting across these copies at extract time requires ≥ 60 % confidence per bit. + ## Extraction (with crop recovery) ``` @@ -214,10 +219,12 @@ Input JPEG (possibly re-encoded or cropped) ┌─────────┬────────────────────────┬──────────────────┬──────────────────┐ │ version │ nonce │ ciphertext │ auth tag │ │ 1 byte │ 24 bytes │ N bytes │ 16 bytes │ -│ 0x01 │ random per write │ XChaCha20 stream │ Poly1305 MAC │ +│ 0x02 │ random per write │ XChaCha20 stream │ Poly1305 MAC │ └─────────┴────────────────────────┴──────────────────┴──────────────────┘ ``` +`VERSION_BYTE = 0x02` (`crates/relicario-core/src/crypto.rs:59`). Blobs starting with any other byte are rejected with `UnsupportedFormatVersion { found, expected: 0x02 }`. The legacy `0x01` format from the pre-typed-items era is no longer supported. + ## Crate Architecture ```