From b2749826b16bd0ad7d72a3cdc5f1b8f90c9a8c0c Mon Sep 17 00:00:00 2001 From: adlee-was-taken Date: Sat, 2 May 2026 20:48:22 -0400 Subject: [PATCH] docs: CHANGELOG entry for v0.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three release trains roll into one tag — v0.3.0 backup/restore + LastPass import, v0.4.0 device authentication, and the v0.5.0 polish + harden bundle. Renames the existing "Unreleased" heading to v0.5.0 — 2026-05-02 and prepends the polish + harden additions: - Security: S1 pre-receive hook fix (HIGH-severity authentication bypass), S2 tar-restore path-traversal hardening, S3 RELICARIO_* env-var audit + cfg-gate. - Fixed: B1 strength-meter regenerate desync, B2/P4 raw error-code leakage in the fullscreen tab. - Added: P1 password coloring (four reveal surfaces + settings UI), P2 setup → fullscreen vault tab handoff. Existing v0.3.0/v0.4.0 Added entries (sync, register-from-popup, generator-defaults, edit TOTP, history, detach, status, backup/restore, vault-tab panel, LastPass import + popup deep link, status export age) preserved verbatim. - Changed: P3 form-layout envelope, doc-audit refresh across overview / CLAUDE / SECURITY / ARCHITECTURE / foundational spec. - Internal: C1 stale-branch prune, clippy cleanup, Cargo.lock regenerated, CLI/extension refactors preserved from prior trains. Co-Authored-By: Claude Opus 4.7 --- CHANGELOG.md | 104 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 95 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 135a5df..ca63564 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,72 @@ # Changelog -## Unreleased +## v0.5.0 — 2026-05-02 + +Three release trains roll into one tag — backup/restore + LastPass +import (originally v0.3.0), device authentication (originally v0.4.0), +and the v0.5.0 polish + harden bundle (security fixes + UX fixes + +two confirmed bugs). + +### Security + +- **Pre-receive hook now actually verifies signatures (audit S1, HIGH).** + Earlier `relicario-server` builds accepted any commit with a + `Good signature` line on stderr regardless of which key signed it — + device-auth was a no-op. The hook now builds an `allowed_signers` + file from `devices.json` at the commit (via `GIT_CONFIG_*` env, no + global git-config mutation), parses the SSH SHA-256 fingerprint out + of `git verify-commit --raw` stderr, and rejects unregistered keys or + revoked keys whose committer-date is at or after the revocation + timestamp. Bootstrap mode is preserved only when **both** + `devices.json` AND `revoked.json` are empty (closes an + empty-devices.json privilege-escalation route). +- **Backup-restore tar unpacking hardened (audit S2).** `relicario + backup restore` no longer trusts `tar::Archive::unpack`'s defaults. + A new `relicario_core::safe_unpack_git_archive` validates each + entry's path components (rejects `..`, absolute paths, Windows + drive prefixes), rejects symlinks/hardlinks, and caps total + uncompressed size at the lower of 100×compressed-bytes or 1 GiB. + The CLI restore path adds a paranoid `dest.starts_with(.git/)` + check after path-joining as defense-in-depth. +- **`RELICARIO_*` env-var surface audited (audit S3).** `docs/SECURITY.md` + gains a per-variable trust table. `RELICARIO_NO_GROUPS_CACHE` (a + developer escape hatch, not a user knob) is now + `cfg(debug_assertions)`-gated and is a no-op in `--release` builds; + the env-var lookup is removed from the binary by the optimiser. + +### Fixed + +- **Strength meter no longer goes stale after the regenerate button (B1).** + Programmatic `input.value = newPassword` doesn't fire `input` + events; the regenerate handler now dispatches a synthetic + `InputEvent('input', { bubbles: true })` so the meter listener + re-rates the new value. +- **Snake_case error codes no longer leak into the UI (B2 / P4).** + Errors like `vault_locked`, `origin_mismatch`, `unauthorized_sender` + used to render verbatim in the fullscreen vault tab and (in some + cases) the popup. New `extension/src/shared/error-copy.ts` central + registry maps every service-worker error code to friendly + title/body/CTA copy; the popup and fullscreen tab consume the + same map. The fullscreen lock screen's `vault_locked` block now + reads `Vault locked / Unlock your vault to continue. / [Unlock + vault]`. A generated test enumerates the live error codes via + grep so the registry can't drift. ### Added +- **Password coloring (P1).** Revealed passwords in the popup + item-detail, fullscreen item view, field-history viewer, and + generator preview render digits and symbols in distinct colors. + Defaults: blue digits, red symbols. Users can override via the + new Display section in settings (color pickers + live preview + swatch + reset). Defaults round-trip via + `chrome.storage.sync.password_display_scheme`; cross-device when + Chrome sync is enabled. +- **Setup wizard hands off to the fullscreen vault tab on completion + (P2).** Both create-new and attach-existing flows now open + `vault.html` in a new tab and best-effort close the setup tab + after device registration succeeds — replaces the prior + setup-tab-stays-open terminal screen. - **Sync now button** in the extension settings view — surfaces the previously hidden `{ type: 'sync' }` SW message to users with success / error feedback. @@ -59,6 +122,30 @@ file `cmd_backup_export` writes on success). Reads "never" for fresh vaults, "4 days ago" otherwise. +### Changed + +- **Form layout in the fullscreen vault tab is now visually consistent + (P3).** Notes, custom-fields disclosure, attachments disclosure, and + form-actions in fullscreen logins now sit inside a `.form-lower` + wrapper with the same `max-width: 960px; margin: 0 auto` envelope as + the `.form-grid` cards above. Removes the visual rhythm break at the + 2-col → full-width transition. The popup surface is unchanged. +- **Documentation refreshed for v0.5.0 (doc audit, 14 findings).** + `docs/architecture/overview.md` now describes four codebases (the + `relicario-server` pre-receive hook crate is no longer invisible); + `CLAUDE.md` project tree and roadmap reflect current state; + `docs/SECURITY.md` names the server crate and its `verify-commit` / + `generate-hook` subcommands and notes the without-the-hook-it's- + advisory caveat; `docs/ARCHITECTURE.md` shows `settings.enc` as a + parallel artifact in the vault-creation flow; the foundational + design spec gains a "historical" status banner pointing readers at + the current docs. +- `relicario generate` now consults `VaultSettings.generator_defaults` when + invoked inside an initialized vault. Explicit flags (`--length`, + `--bip39`, `--words`, `--symbols`, `--separator`) override the vault + default. Outside a vault, behavior is unchanged (length 20, safe symbol + set, 5 BIP39 words, space separator). + ### Known limitations - **Mid-restore failure leaves the target remote in a half-written @@ -74,6 +161,13 @@ ### Internal +- 5 stale local feature branches and 3 worktrees pruned (audit C1). +- Pre-existing clippy warnings cleaned up across `relicario-{core,cli}` + (deref operators, `Option::is_none_or` over `map_or(true, ...)`, + `iter_mut().enumerate()` patterns, `div_ceil()`) so the workspace + builds clean under `-D warnings`. +- `Cargo.lock` regenerated and committed; was stale since the + `--totp-qr` commit. - Refactored `cmd_add` and `cmd_edit` in the CLI: each `ItemCore` variant now has its own `build_*_item` / `edit_*` helper. Pure mechanical extraction; behavior unchanged. The dispatcher matches and delegates. @@ -83,14 +177,6 @@ `setup.ts` since it walks live wizard state. Setup.ts went from 1205 → 1137 lines. -### Changed - -- `relicario generate` now consults `VaultSettings.generator_defaults` when - invoked inside an initialized vault. Explicit flags (`--length`, - `--bip39`, `--words`, `--symbols`, `--separator`) override the vault - default. Outside a vault, behavior is unchanged (length 20, safe symbol - set, 5 BIP39 words, space separator). - ## v0.2.0 — 2026-04-27 ### Fixed