release(v0.9.0): bump versions to 0.9.0 + CHANGELOG + STATUS/ROADMAP/spec sync
Org GUI (read+write) + pluggable second factor feature-complete (all 5 streams
merged at 6d6e9f8). Versions: extension manifests + core/cli/wasm -> 0.9.0
(manifest.firefox.json 0.7.0-drift corrected); relicario-server stays 0.1.1.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
This commit is contained in:
@@ -4,9 +4,8 @@
|
||||
|
||||
## Version
|
||||
|
||||
**Last release tagged:** v0.8.1 (`2fa4d68`, 2026-06-20) — org item-type parity + collection-scoped attachments, on top of v0.8.0 enterprise org vault. (v0.7.0 extension restructure; v0.6.0 rolled up Phase 2B / v0.5.1 / 1C-γ / Plan B / management-surfaces / doc-structure.)
|
||||
**Cutting now:** **v0.8.2 — extension vault-creation fix.** Binary-safe `chrome.runtime.sendMessage` transport (`message-binary.ts`) + carrier-image magic-byte guard + setup-wizard router allowlist + vault-tab drawer/lock layout. Extension-only; core/cli/wasm bumped 0.8.1→0.8.2 for tag consistency, `relicario-server` stays 0.1.1. Merged to main `938174b`; `release: v0.8.2` doc/tag commit pending.
|
||||
**In flight:** **v0.9.0 — extension org GUI + pluggable second factor.** Multi-agent lift kicked off 2026-06-25 (5 streams, relay-coordinated). **Org-write scope decision (2026-06-25):** the signed-commit spike proved the signature mechanism (GO), but research found Gitea has **no write Git Data API at any version** (1.26.4 latest; none on roadmap; Contents API can't carry a caller signature) — so org-write ships via **native `git-receive-pack` packfile push (isomorphic-git in the SW), a single universal write path for both Gitea + GitHub**. User chose **build-now in v0.9.0** (not defer). Details in the v0.9.0 lift block below.
|
||||
**Last release tagged:** v0.8.2 (2026-06-25) — extension vault-creation fix (binary-safe `chrome.runtime.sendMessage` transport + carrier guard + setup-router allowlist + drawer/lock layout); core/cli/wasm bumped for tag consistency, `relicario-server` stays 0.1.1. (v0.8.1 org item-type parity + collection-scoped attachments; v0.8.0 enterprise org vault backend.)
|
||||
**Cutting now:** **v0.9.0 — org vault in the extension + pluggable second factor. FEATURE-COMPLETE.** All 5 streams merged to main (`6d6e9f8`): D keyfile core/cli/wasm + minors + E keyfile extension; A org foundation + B org read-UI/add-org + C org signed-write. Full gate green (cargo 0-failed, clippy `-D warnings`, extension **584/584**, build:all). Versions bumped to **0.9.0** (extension manifests + core/cli/wasm; server stays 0.1.1; `manifest.firefox.json` 0.7.0-drift fixed), CHANGELOG written, Cargo.lock regenerated. **Pending tag:** user smoke-test + explicit approval. Pre/post-tag follow-ups tracked: Dev-A M1 (device-migration user notice) + M2 (corrupt `device_key_enc` recovery); `backup --include-keyfile`; `gitea.ts putBlob` latent bug; worktree cleanup (stale v0.8.1 + review worktrees). Lift detail in the block below.
|
||||
|
||||
## v0.9.0 lift — in progress (kicked off 2026-06-25)
|
||||
|
||||
@@ -16,7 +15,7 @@ Two-track multi-agent lift (5 streams, relay-coordinated; PM + Dev-A..E):
|
||||
|
||||
**Merge progress (as of 2026-06-27):**
|
||||
- **Keyfile track ✅ COMPLETE** — Dev-D keyfile core/cli/wasm (`588495f`), Dev-D security-review minors (`2262272`: `keyfile_encode`→`Zeroizing` + a backup-keyfile-error test + the no-oracle malformed-vs-wrong pair), Dev-E keyfile extension + positioning docs (`2ff5e5b`). All merged + verified, each two-review-clean (PM diff read + independent security subagent for D; E's mandatory `/security-review` no-findings + opus whole-branch + PM SECURITY.md read). The **pluggable second factor ships end-to-end** (CLI `init --key-file`/unlock/recovery-qr + extension wizard/unlock/attach), documented honestly (secret in the clear but gitignored/local-only and never pushed; not weaker than stego).
|
||||
- **Org track — A ✅ + B ✅ MERGED; C in progress (final stream):** Dev-A org foundation merged (`33dd018`) — device-key persist/restore (Variant Y, key never to JS), multi-context session zero-all, ECIES org unwrap, grant-filtered read; security PASS-WITH-MINOR with **I1** (free the orphaned org-key handle on the `openOrg` error path) + the error-copy coverage gap both fixed pre-merge. Dev-B org read UI + the **added config-write flow** (`org_add_config` + add-org form — `org_list_configs` read `orgConfigs` but nothing wrote them) merged (`a530e44`); its opus review caught + fixed a **CRITICAL read-only misroute** (org detail/drawer showed edit/trash firing *personal* update/delete with the org id) — read-only now enforced across list/detail/drawer/sidebar. Dev-C (org write) building Tasks 3-5 (`org_add/update/delete` via the universal `commitSigned`, honoring the manifest landmine + client grant check; write UI on B's surfaces; acceptance) + the mandatory `/security-review` → its REVIEW-READY is the org track's final merge.
|
||||
- **Org track — ✅ COMPLETE (A → B → C all merged):** Dev-A org foundation merged (`33dd018`) — device-key persist/restore (Variant Y, key never to JS), multi-context session zero-all, ECIES org unwrap, grant-filtered read; security PASS-WITH-MINOR with **I1** (free the orphaned org-key handle on the `openOrg` error path) + the error-copy coverage gap both fixed pre-merge. Dev-B org read UI + the **added config-write flow** (`org_add_config` + add-org form — `org_list_configs` read `orgConfigs` but nothing wrote them) merged (`a530e44`); its opus review caught + fixed a **CRITICAL read-only misroute** (org detail/drawer showed edit/trash firing *personal* update/delete with the org id) — read-only now enforced across list/detail/drawer/sidebar. Dev-C org signed-write merged (`6d6e9f8`): `org_add/update/delete` via the universal `commitSigned`, manifest landmine honored, client grant check, write UI on B's surfaces; **the C1 empty-id data-loss bug was caught by the independent security-review subagent and fixed pre-merge** (the dev's own `/security-review` AND the PM diff read both missed it — it was masked by a test that hard-coded the item id; the third independent pass earned its keep); `/security-review` clean. All three org streams merged; full gate green (extension 584/584).
|
||||
- **Pre-tag follow-ups:** Dev-A M1 (one-time user notice that the device-key migration mints a new device identity) + M2 (recovery path for a corrupt `device_key_enc`); `backup --include-keyfile` sibling; the `gitea.ts putBlob` latent bug; stale-worktree cleanup (3 v0.8.1 worktrees + 2 leftover review worktrees in scratchpad).
|
||||
|
||||
**Org-write transport decision (2026-06-25) — recorded per the org-GUI spec's spike gate:**
|
||||
|
||||
Reference in New Issue
Block a user