feat(core/org): encrypt/decrypt_org_manifest vault wrappers

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy

crates/relicario-core/src/lib.rs

@@ -78,8 +78,8 @@ pub use generators::{generate_passphrase, generate_password, rate_passphrase, va
 
 pub mod vault;
 pub use vault::{
-    decrypt_item, decrypt_manifest, decrypt_settings,
+    decrypt_item, decrypt_manifest, decrypt_org_manifest, decrypt_settings,
-    encrypt_item, encrypt_manifest, encrypt_settings,
+    encrypt_item, encrypt_manifest, encrypt_org_manifest, encrypt_settings,
 };
 
 pub mod imgsecret;

crates/relicario-core/src/vault.rs

@@ -11,6 +11,7 @@ use crate::crypto::{decrypt, encrypt};
 use crate::error::Result;
 use crate::item::Item;
 use crate::manifest::Manifest;
+use crate::org::OrgManifest;
 use crate::settings::VaultSettings;
 
 pub fn encrypt_item(item: &Item, master_key: &Zeroizing<[u8; 32]>) -> Result<Vec<u8>> {
@@ -52,6 +53,19 @@ pub fn decrypt_settings(encrypted: &[u8], master_key: &Zeroizing<[u8; 32]>) -> R
     Ok(settings)
 }
 
+pub fn encrypt_org_manifest(manifest: &OrgManifest, org_key: &Zeroizing<[u8; 32]>) -> Result<Vec<u8>> {
+    let json = serde_json::to_vec(manifest)?;
+    let plaintext = Zeroizing::new(json);
+    encrypt(org_key, plaintext.as_slice())
+}
+
+pub fn decrypt_org_manifest(encrypted: &[u8], org_key: &Zeroizing<[u8; 32]>) -> Result<OrgManifest> {
+    let plaintext = decrypt(org_key, encrypted)?;
+    let plaintext = Zeroizing::new(plaintext);
+    let manifest: OrgManifest = serde_json::from_slice(&plaintext)?;
+    Ok(manifest)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -87,4 +101,27 @@ mod tests {
         assert_eq!(decoded.attachment_caps.per_attachment_max_bytes,
                    s.attachment_caps.per_attachment_max_bytes);
     }
+
+    #[test]
+    fn org_manifest_round_trip() {
+        use crate::org::{OrgManifest, OrgManifestEntry};
+        use crate::ids::ItemId;
+        use crate::item_types::ItemType;
+
+        let mut m = OrgManifest::new();
+        m.entries.push(OrgManifestEntry {
+            id: ItemId::new(),
+            r#type: ItemType::SecureNote,
+            title: "test".into(),
+            tags: vec![],
+            modified: 0,
+            trashed_at: None,
+            collection: "prod".into(),
+        });
+        let key = key();
+        let bytes = encrypt_org_manifest(&m, &key).unwrap();
+        let decoded = decrypt_org_manifest(&bytes, &key).unwrap();
+        assert_eq!(decoded.entries.len(), 1);
+        assert_eq!(decoded.entries[0].collection, "prod");
+    }
 }