docs(status): keyfile track complete (D+minors+E merged); org track in progress (A I1-fix gated, B building+config-add, C held)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
This commit is contained in:
adlee-was-taken
2026-06-27 11:04:09 -04:00
parent 2ff5e5b584
commit 7932703bc1

View File

@@ -14,7 +14,10 @@ Two-track multi-agent lift (5 streams, relay-coordinated; PM + Dev-A..E):
- **Org track (merge order A→B→C):** Dev-A org SW+WASM foundation, Dev-B org read UI, Dev-C org write. - **Org track (merge order A→B→C):** Dev-A org SW+WASM foundation, Dev-B org read UI, Dev-C org write.
- **Keyfile track (merge order D→E):** Dev-D keyfile core/cli/wasm, Dev-E keyfile extension + positioning pivot. Independent of the org track. - **Keyfile track (merge order D→E):** Dev-D keyfile core/cli/wasm, Dev-E keyfile extension + positioning pivot. Independent of the org track.
**Merged to main so far:** Dev-D keyfile core/cli/wasm — `588495f` (2026-06-26). Two-review-clean (PM diff read + independent security subagent; PASS, no Critical/Important); merged tree green (workspace `cargo test` incl. the non-tautological equivalence test, `clippy -D warnings`). 3 minor follow-ups tracked for a `fix/v0.9.0-keyfile-minors` branch before the tag: (1) `keyfile_encode``Zeroizing<Vec<u8>>`; (2) test the `backup --include-image` clean-error on keyfile vaults; (3) integration test for malformed-keyfile vs wrong-secret at unlock. Plus the deferred `backup --include-keyfile` sibling. Dev-E green-lit (next in keyfile track). **Merge progress (as of 2026-06-27):**
- **Keyfile track ✅ COMPLETE** — Dev-D keyfile core/cli/wasm (`588495f`), Dev-D security-review minors (`2262272`: `keyfile_encode``Zeroizing` + a backup-keyfile-error test + the no-oracle malformed-vs-wrong pair), Dev-E keyfile extension + positioning docs (`2ff5e5b`). All merged + verified, each two-review-clean (PM diff read + independent security subagent for D; E's mandatory `/security-review` no-findings + opus whole-branch + PM SECURITY.md read). The **pluggable second factor ships end-to-end** (CLI `init --key-file`/unlock/recovery-qr + extension wizard/unlock/attach), documented honestly (secret in the clear but gitignored/local-only and never pushed; not weaker than stego).
- **Org track — in progress:** Dev-A org foundation REVIEW-READY, security verdict **PASS-WITH-MINOR** (all 4 crypto invariants confirmed: privkey never to JS, lock/timer zero ALL handles, org key never persisted, filter single-sourced). Merge gated on one required 3-line fix — **I1**: free the orphaned org-key handle on the `openOrg` error path (else an unwrapped org key can persist in WASM past a lock). Dev-B building org read UI (Tasks 1-5) + an **added config-write flow** (`org_add_config` SW msg + add-org form — needed because `org_list_configs` reads `orgConfigs` but nothing wrote them, so org-read was otherwise unreachable); B's final push held until A merges. Dev-C org-write transport (universal `commitSigned`, isomorphic-git `git-receive-pack`) done + security-clean; Tasks 3-5 (handlers/UI/acceptance) held until A+B merge.
- **Pre-tag follow-ups:** Dev-A M1 (one-time user notice that the device-key migration mints a new device identity) + M2 (recovery path for a corrupt `device_key_enc`); `backup --include-keyfile` sibling; the `gitea.ts putBlob` latent bug; stale-worktree cleanup (3 v0.8.1 worktrees + 2 leftover review worktrees in scratchpad).
**Org-write transport decision (2026-06-25) — recorded per the org-GUI spec's spike gate:** **Org-write transport decision (2026-06-25) — recorded per the org-GUI spec's spike gate:**
- Spike (Dev-C, `426b82a`; doc `docs/superpowers/spikes/2026-06-20-org-signed-commit-spike.md`): **signature mechanism is GO** — a SW-built SSHSIG commit (raw `sign_for_git` + manual SSHSIG framing, no new WASM export) passes both `git verify-commit` and `relicario-server verify-org-commit`, incl. item+manifest dual-write + grant/slug authz. Hook matches the **signing-key fingerprint**`members[].ed25519_pubkey` (committer text free-form, not checked). - Spike (Dev-C, `426b82a`; doc `docs/superpowers/spikes/2026-06-20-org-signed-commit-spike.md`): **signature mechanism is GO** — a SW-built SSHSIG commit (raw `sign_for_git` + manual SSHSIG framing, no new WASM export) passes both `git verify-commit` and `relicario-server verify-org-commit`, incl. item+manifest dual-write + grant/slug authz. Hook matches the **signing-key fingerprint**`members[].ed25519_pubkey` (committer text free-form, not checked).