alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

docs: fix crypto/format drift — version byte 0x02, AttachmentId 32 hex, DCT 5-50

Browse Source 
Punch items from doc audit:
- docs/ARCHITECTURE.md: encrypted file format diagram said version byte
  0x01; actual VERSION_BYTE is 0x02 (crypto.rs:59) and 0x01 is rejected
  with UnsupportedFormatVersion.
- docs/ARCHITECTURE.md: DCT embedding diagram said "Repeat secret 20+
  times" and "positions 4-15"; actual is MIN_COPIES (5) to 50 copies
  chosen by capacity, embedded in zig-zag positions 6-17
  (imgsecret.rs:78, 99-104, 530-537).
- FORMATS.md: AttachmentId table said 16 hex chars / 8 bytes; actual is
  32 hex chars / first 16 bytes of SHA-256 (ids.rs:59-69).
- FORMATS.md: ManifestEntry schema missing r#type field; updated to list
  all ten fields in declared order with serde decorations noted
  (manifest.rs:21-38).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
2026-05-30 13:24:40 -04:00
parent 74a520bada
commit 210232d156
2 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
FORMATS.md
View File

@@ -45,7 +45,7 @@ Parsed via `ParamsFile { kdf: KdfParams }` in `session.rs`. The `kdf` nesting is
Decrypts to JSON matching the `Manifest` struct (`manifest.rs`).
- **Schema version:** `MANIFEST_SCHEMA_VERSION = 2` (`manifest.rs:12`). v1 manifests (pre-typed-items) fail to parse and are not supported.
- **`ManifestEntry` fields:** `id`, `title`, `tags`, `favorite`, `group`, `icon_hint`, `modified`, `trashed_at`, `attachment_summaries`.
- **`ManifestEntry` fields** (declared order in `manifest.rs:21-38`): `id`, `type`, `title`, `tags`, `favorite`, `group`, `icon_hint`, `modified`, `trashed_at`, `attachment_summaries`. The `type` field is `r#type: ItemType` in Rust but serializes as the bare JSON key `"type"` (no serde rename — `r#` is just the raw-identifier escape). `group`, `icon_hint`, and `trashed_at` are `#[serde(skip_serializing_if = "Option::is_none")]`; `tags`, `favorite`, and `attachment_summaries` use `#[serde(default)]`.
- The manifest is rebuilt from scratch on every `upsert` — it can never drift from the source-of-truth item files.
- Supports case-insensitive title/tag search without decrypting any item.
@@ -75,9 +75,9 @@ Commits by `public_key` at or after `revoked_at` (Unix seconds) are rejected by
|---|---|---|---|
| `ItemId` | 16 hex chars | 64 bits | `OsRng` |
| `FieldId` | 16 hex chars | 64 bits | `OsRng` |
| `AttachmentId` | 16 hex chars | content-addressed | first 8 bytes of `SHA-256(plaintext)` |
| `AttachmentId` | 32 hex chars | 128 bits | first 16 bytes (32 hex chars) of `SHA-256` over the plaintext |
`AttachmentId` is content-addressed — identical plaintexts deduplicate in git automatically.
`AttachmentId` is content-addressed — identical plaintexts deduplicate in git automatically. The 128-bit truncation (`ids.rs:59-69`) was widened from 64 bits per audit I2/B4 to put birthday-collision risk out of reach.
## `.relbak` backup format