From 399a276fdd2e001d676eb11336ba6a148da686aa Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Mon, 27 Apr 2026 18:24:16 -0400
Subject: [PATCH] feat(ext/setup): refuse to overwrite existing vault files
 (Step 3a clobber guard)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 extension/src/setup/setup.ts | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/extension/src/setup/setup.ts b/extension/src/setup/setup.ts
index fd3b076..903a157 100644
--- a/extension/src/setup/setup.ts
+++ b/extension/src/setup/setup.ts
@@ -775,19 +775,14 @@ function attachStep3New(): void {
       const host = createGitHost(state.hostType, hostUrl, state.repoPath, state.apiToken);
 
       log('write .relicario/salt');
-      await host.writeFile('.relicario/salt', salt, 'init: vault salt');
+      await host.writeFileCreateOnly('.relicario/salt', salt, 'init: vault salt');
 
       log('write .relicario/params.json');
       const paramsBytes = new TextEncoder().encode(paramsJson);
-      await host.writeFile('.relicario/params.json', paramsBytes, 'init: KDF parameters');
-
-      log('write .relicario/devices.json');
-      const devicesJson = '{"devices":[]}';
-      const devicesBytes = new TextEncoder().encode(devicesJson);
-      await host.writeFile('.relicario/devices.json', devicesBytes, 'init: device registry');
+      await host.writeFileCreateOnly('.relicario/params.json', paramsBytes, 'init: KDF parameters');
 
       log('write manifest.enc');
-      await host.writeFile(
+      await host.writeFileCreateOnly(
         'manifest.enc',
         new Uint8Array(encryptedManifest),
         'init: encrypted manifest',
@@ -806,7 +801,12 @@ function attachStep3New(): void {
       console.error(`[relicario setup] vault creation FAILED during "${stage}":`, err);
       state.creating = false;
       const detail = err instanceof Error ? err.message : String(err);
-      state.error = `Vault creation failed at "${stage}": ${detail}`;
+      if (/already exists/.test(detail)) {
+        const path = detail.replace(/^.*?writeFileCreateOnly: /, '').replace(/ already exists$/, '');
+        state.error = `A file at ${path} already exists on the remote — refusing to overwrite. Re-run setup; the wizard will offer to attach to the existing vault.`;
+      } else {
+        state.error = `Vault creation failed at "${stage}": ${detail}`;
+      }
       render();
     }
   });