release(v0.9.0): bump versions to 0.9.0 + CHANGELOG + STATUS/ROADMAP/spec sync
Org GUI (read+write) + pluggable second factor feature-complete (all 5 streams
merged at 6d6e9f8). Versions: extension manifests + core/cli/wasm -> 0.9.0
(manifest.firefox.json 0.7.0-drift corrected); relicario-server stays 0.1.1.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
This commit is contained in:
42
CHANGELOG.md
42
CHANGELOG.md
@@ -1,5 +1,47 @@
|
||||
# Changelog
|
||||
|
||||
## v0.9.0 — 2026-06-27 — org vault in the extension + pluggable second factor
|
||||
|
||||
Two headline features, plus a positioning re-lead on the durable thesis: two
|
||||
independent secrets into the KDF, self-hostable, a server that holds only opaque
|
||||
ciphertext, and a git-backed audit log.
|
||||
|
||||
### Added — Pluggable second factor (key file)
|
||||
- The vault's 256-bit second factor can now be carried by a plain **key file**
|
||||
(`.relkey`), chosen at creation, as an alternative to the steganographic
|
||||
reference image. Same secret, same Argon2id KDF, same AEAD — only the container
|
||||
changes (proven by a byte-identical master-key equivalence test).
|
||||
- **CLI:** `relicario init --key-file <path>` generates the `.relkey`; unlock,
|
||||
`recovery-qr`, and backup resolve the container from a non-secret
|
||||
`second_factor` hint in `params.json` (`RELICARIO_KEYFILE` mirrors
|
||||
`RELICARIO_IMAGE`).
|
||||
- **Extension:** setup-wizard container choice (Reference Image | Key File),
|
||||
`.relkey` download at creation, and unlock + attach via a key-file picker.
|
||||
- Threat model: the `.relkey` / `keyfileBase64` holds the secret **in the clear**
|
||||
— the same posture as the reference JPEG (gitignored / local-only, never pushed;
|
||||
the server only ever sees ciphertext). Documented as equivalent, not weaker.
|
||||
|
||||
### Added — Org (enterprise) vault in the browser extension (read + write)
|
||||
- The enterprise org vault (CLI since v0.8.0/v0.8.1) now has full browser
|
||||
presence: a **Personal / <org>** context switcher, grant-filtered browse +
|
||||
view of all 7 item types, an **add-org** config flow, **add / edit / delete** of
|
||||
org items, and an offline read-only indicator. Org admin
|
||||
(members/collections/grants/rotate/audit) stays CLI-only by design.
|
||||
- Org **writes** go through ed25519-**signed commits** the org pre-receive hook
|
||||
accepts, pushed via **native git (`git-receive-pack`) with an in-browser
|
||||
packfile encoder (isomorphic-git)** — host-agnostic, working on Gitea *and*
|
||||
GitHub at any version (Gitea exposes no signature-carrying write REST API). The
|
||||
org master key never touches persistent storage; org data never persists outside
|
||||
the Zeroizing WASM session.
|
||||
- **Device-key lifecycle completed:** the device's ed25519 private key is now
|
||||
persisted encrypted under the vault master key and restored into the WASM
|
||||
session at unlock — it never crosses into JS.
|
||||
|
||||
### Versions
|
||||
- extension + `relicario-core` / `relicario-cli` / `relicario-wasm` → `0.9.0`;
|
||||
`relicario-server` stays `0.1.1` (independent line). `manifest.firefox.json`
|
||||
corrected from a stale `0.7.0`.
|
||||
|
||||
## v0.8.2 — 2026-06-25 — extension vault-creation fix (binary transport)
|
||||
|
||||
Fixes a bug that broke **vault creation and attach in the browser extension**:
|
||||
|
||||
Reference in New Issue
Block a user