release(v0.9.0): bump versions to 0.9.0 + CHANGELOG + STATUS/ROADMAP/spec sync

Org GUI (read+write) + pluggable second factor feature-complete (all 5 streams
merged at 6d6e9f8). Versions: extension manifests + core/cli/wasm -> 0.9.0
(manifest.firefox.json 0.7.0-drift corrected); relicario-server stays 0.1.1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
This commit is contained in:
adlee-was-taken
2026-06-27 18:42:57 -04:00
parent 6d6e9f8c0e
commit b7d74ed0bc
11 changed files with 59 additions and 16 deletions

View File

@@ -1,5 +1,47 @@
# Changelog
## v0.9.0 — 2026-06-27 — org vault in the extension + pluggable second factor
Two headline features, plus a positioning re-lead on the durable thesis: two
independent secrets into the KDF, self-hostable, a server that holds only opaque
ciphertext, and a git-backed audit log.
### Added — Pluggable second factor (key file)
- The vault's 256-bit second factor can now be carried by a plain **key file**
(`.relkey`), chosen at creation, as an alternative to the steganographic
reference image. Same secret, same Argon2id KDF, same AEAD — only the container
changes (proven by a byte-identical master-key equivalence test).
- **CLI:** `relicario init --key-file <path>` generates the `.relkey`; unlock,
`recovery-qr`, and backup resolve the container from a non-secret
`second_factor` hint in `params.json` (`RELICARIO_KEYFILE` mirrors
`RELICARIO_IMAGE`).
- **Extension:** setup-wizard container choice (Reference Image | Key File),
`.relkey` download at creation, and unlock + attach via a key-file picker.
- Threat model: the `.relkey` / `keyfileBase64` holds the secret **in the clear**
— the same posture as the reference JPEG (gitignored / local-only, never pushed;
the server only ever sees ciphertext). Documented as equivalent, not weaker.
### Added — Org (enterprise) vault in the browser extension (read + write)
- The enterprise org vault (CLI since v0.8.0/v0.8.1) now has full browser
presence: a **Personal / &lt;org&gt;** context switcher, grant-filtered browse +
view of all 7 item types, an **add-org** config flow, **add / edit / delete** of
org items, and an offline read-only indicator. Org admin
(members/collections/grants/rotate/audit) stays CLI-only by design.
- Org **writes** go through ed25519-**signed commits** the org pre-receive hook
accepts, pushed via **native git (`git-receive-pack`) with an in-browser
packfile encoder (isomorphic-git)** — host-agnostic, working on Gitea *and*
GitHub at any version (Gitea exposes no signature-carrying write REST API). The
org master key never touches persistent storage; org data never persists outside
the Zeroizing WASM session.
- **Device-key lifecycle completed:** the device's ed25519 private key is now
persisted encrypted under the vault master key and restored into the WASM
session at unlock — it never crosses into JS.
### Versions
- extension + `relicario-core` / `relicario-cli` / `relicario-wasm``0.9.0`;
`relicario-server` stays `0.1.1` (independent line). `manifest.firefox.json`
corrected from a stale `0.7.0`.
## v0.8.2 — 2026-06-25 — extension vault-creation fix (binary transport)
Fixes a bug that broke **vault creation and attach in the browser extension**: