From b9f44a3d4fb3c656cc53e10ea2a4a727f4c05006 Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Sat, 2 May 2026 09:34:33 -0400
Subject: [PATCH] fix(cli): enforce per-vault attachment bytes cap (audit I3)

per_vault_soft_cap_bytes and per_vault_hard_cap_bytes were defined in
VaultSettings but never checked. Now enforced in cmd_attach with
warning at soft cap, error at hard cap.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 crates/relicario-cli/src/main.rs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/crates/relicario-cli/src/main.rs b/crates/relicario-cli/src/main.rs
index cbe2891..7d95eec 100644
--- a/crates/relicario-cli/src/main.rs
+++ b/crates/relicario-cli/src/main.rs
@@ -1826,6 +1826,28 @@ fn cmd_attach(query: String, file: PathBuf) -> Result<()> {
 
     let bytes = fs::read(&file)
         .with_context(|| format!("failed to read {}", file.display()))?;
+
+    // Check per-vault total attachment bytes cap (audit I3).
+    let current_total: u64 = manifest.items.values()
+        .flat_map(|e| &e.attachment_summaries)
+        .map(|s| s.size)
+        .sum();
+    let new_size = bytes.len() as u64;
+    let hard_cap = caps.per_vault_hard_cap_bytes;
+    let soft_cap = caps.per_vault_soft_cap_bytes;
+    if current_total + new_size > hard_cap {
+        anyhow::bail!(
+            "attachment would exceed vault hard cap ({} + {} > {} bytes)",
+            current_total, new_size, hard_cap
+        );
+    }
+    if current_total + new_size > soft_cap {
+        eprintln!(
+            "warning: vault attachments will exceed soft cap ({} bytes)",
+            soft_cap
+        );
+    }
+
     let enc = encrypt_attachment(&bytes, vault.key(), caps.per_attachment_max_bytes)?;
 
     let filename = file.file_name()