From 726a2d91a4ce1bf134a472f5f30af0079c784948 Mon Sep 17 00:00:00 2001 From: adlee-was-taken Date: Sat, 27 Jun 2026 14:35:34 -0400 Subject: [PATCH] docs(status): org A+B merged (33dd018, a530e44); 4/5 streams in, Dev-C org-write the last Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP --- STATUS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/STATUS.md b/STATUS.md index 8e75842..1ad9212 100644 --- a/STATUS.md +++ b/STATUS.md @@ -16,7 +16,7 @@ Two-track multi-agent lift (5 streams, relay-coordinated; PM + Dev-A..E): **Merge progress (as of 2026-06-27):** - **Keyfile track ✅ COMPLETE** — Dev-D keyfile core/cli/wasm (`588495f`), Dev-D security-review minors (`2262272`: `keyfile_encode`→`Zeroizing` + a backup-keyfile-error test + the no-oracle malformed-vs-wrong pair), Dev-E keyfile extension + positioning docs (`2ff5e5b`). All merged + verified, each two-review-clean (PM diff read + independent security subagent for D; E's mandatory `/security-review` no-findings + opus whole-branch + PM SECURITY.md read). The **pluggable second factor ships end-to-end** (CLI `init --key-file`/unlock/recovery-qr + extension wizard/unlock/attach), documented honestly (secret in the clear but gitignored/local-only and never pushed; not weaker than stego). -- **Org track — in progress:** Dev-A org foundation REVIEW-READY, security verdict **PASS-WITH-MINOR** (all 4 crypto invariants confirmed: privkey never to JS, lock/timer zero ALL handles, org key never persisted, filter single-sourced). Merge gated on one required 3-line fix — **I1**: free the orphaned org-key handle on the `openOrg` error path (else an unwrapped org key can persist in WASM past a lock). Dev-B building org read UI (Tasks 1-5) + an **added config-write flow** (`org_add_config` SW msg + add-org form — needed because `org_list_configs` reads `orgConfigs` but nothing wrote them, so org-read was otherwise unreachable); B's final push held until A merges. Dev-C org-write transport (universal `commitSigned`, isomorphic-git `git-receive-pack`) done + security-clean; Tasks 3-5 (handlers/UI/acceptance) held until A+B merge. +- **Org track — A ✅ + B ✅ MERGED; C in progress (final stream):** Dev-A org foundation merged (`33dd018`) — device-key persist/restore (Variant Y, key never to JS), multi-context session zero-all, ECIES org unwrap, grant-filtered read; security PASS-WITH-MINOR with **I1** (free the orphaned org-key handle on the `openOrg` error path) + the error-copy coverage gap both fixed pre-merge. Dev-B org read UI + the **added config-write flow** (`org_add_config` + add-org form — `org_list_configs` read `orgConfigs` but nothing wrote them) merged (`a530e44`); its opus review caught + fixed a **CRITICAL read-only misroute** (org detail/drawer showed edit/trash firing *personal* update/delete with the org id) — read-only now enforced across list/detail/drawer/sidebar. Dev-C (org write) building Tasks 3-5 (`org_add/update/delete` via the universal `commitSigned`, honoring the manifest landmine + client grant check; write UI on B's surfaces; acceptance) + the mandatory `/security-review` → its REVIEW-READY is the org track's final merge. - **Pre-tag follow-ups:** Dev-A M1 (one-time user notice that the device-key migration mints a new device identity) + M2 (recovery path for a corrupt `device_key_enc`); `backup --include-keyfile` sibling; the `gitea.ts putBlob` latent bug; stale-worktree cleanup (3 v0.8.1 worktrees + 2 leftover review worktrees in scratchpad). **Org-write transport decision (2026-06-25) — recorded per the org-GUI spec's spike gate:**