diff --git a/CHANGELOG.md b/CHANGELOG.md index afa1bf0..c3a1137 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,35 @@ - **`relicario status`** — vault summary: root path, item count (active / trashed), attachment count + total bytes, registered device count, last commit (`%h %s`). +- **Backup & restore.** New `relicario backup export ` and + `relicario backup restore []` commands. The `.relbak` + format is a single encrypted file: Argon2id-derived key from a + user-chosen backup passphrase (independent of the vault factor), + XChaCha20-Poly1305 ciphertext, zstd-compressed JSON envelope. + Reference image and `.git/` history are opt-in inclusions + (`--include-image`, `--no-history`). +- **Vault-tab Backup & Restore panel.** Export downloads the + `.relbak` via `chrome.downloads`. Restore takes a file + backup + passphrase + new-remote config and writes the vault into a fresh + empty repo (refuses to clobber existing). Git history is never + bundled from the extension — CLI is the source of full backups. +- **`relicario status` shows last export age.** New `Last export: + ` line reading `.relicario/last_backup` (a marker + file `cmd_backup_export` writes on success). Reads "never" for + fresh vaults, "4 days ago" otherwise. + +### Known limitations + +- **Mid-restore failure leaves the target remote in a half-written + state.** `cmd_backup_restore` and the vault-tab Restore panel both + write artifacts sequentially via `writeFileCreateOnly`. If the + process is interrupted partway, a retry against the same remote + refuses to clobber. Workaround: delete the partial repo and retry. +- **Cross-tool backup compatibility.** CLI-exported backups stored + attachments at `/.enc`; extension stores at flat + `.bin`. The `.relbak` envelope canonicalizes to `/` + keys and each tool translates at the boundary. Round-trip works in + both directions. ### Internal