diff --git a/docs/superpowers/plans/2026-04-20-relicario-extension-1c-alpha.md b/docs/superpowers/plans/2026-04-20-relicario-extension-1c-alpha.md new file mode 100644 index 0000000..7a27e10 --- /dev/null +++ b/docs/superpowers/plans/2026-04-20-relicario-extension-1c-alpha.md @@ -0,0 +1,3319 @@ +# relicario Extension 1C-α (Foundation) Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Port the browser extension onto the typed-item core from Plans 1A+1B. Rebuild the WASM artifact, migrate the TypeScript surface to typed items, rewrite the service worker around the opaque `SessionHandle`, split the message router with sender checks, wire the full security architecture (WAR cleanup, origin-bound autofill, TOFU origin-ack, popup captured-tab verification, closed Shadow DOM), gate the setup wizard with zxcvbn, and achieve Login-parity on the new stack. Other six item types land in 1C-β. + +**Architecture:** Six-slice bottom-up sequencing. Each slice leaves the branch in a cleanly-committable state; the extension doesn't have to load-and-run until slice 6. All messaging is statically split into `PopupMessage` (popup-callable) and `ContentMessage` (content-script-callable) unions; the single `chrome.runtime.onMessage` listener dispatches by `sender.url` / `sender.tab` / `sender.frameId`. Session handles are opaque u32 wrappers with Rust-side `Zeroizing<[u8; 32]>` storage — JS never sees master-key bytes. + +**Tech Stack:** Rust (`relicario-wasm` crate, built with `wasm-pack --target web`), TypeScript (webpack 5, ts-loader), Vitest (new — for router unit tests), Bun (package manager per `bun.lock`). + +**Reference spec:** `docs/superpowers/specs/2026-04-20-relicario-extension-1c-alpha-design.md` (commit `ad6d8af`) + +**Branch:** Create `feature/typed-items-1c-alpha` off `main` (Plan 1B already merged). + +**Environment note:** `extension/` uses Bun (`bun.lock`) but `package.json` scripts invoke `webpack` directly. Use `bun install` for deps and `bun run build`/`bun run build:all`/`bun run build:firefox`/`bun run build:wasm` for scripts — they match npm semantics. + +--- + +## Pre-flight + +- [ ] **Pre-flight step 1: Verify cargo workspace green on `main`** + +Run: `cd /home/alee/Sources/relicario && cargo test --workspace` +Expected: all 151 tests pass (per Plan 1B tag `plan-1b-cli-wasm-complete`). + +- [ ] **Pre-flight step 2: Create feature branch** + +```bash +cd /home/alee/Sources/relicario +git checkout main +git pull +git checkout -b feature/typed-items-1c-alpha +``` + +- [ ] **Pre-flight step 3: Install extension deps** + +```bash +cd extension +bun install +``` + +Expected: installs cleanly (webpack, ts-loader, copy-webpack-plugin, @types/chrome). + +--- + +## Slice 1 — WASM artifact rebuild + +Goal: replace the stale `idfoto_wasm*` files in `extension/wasm/` with freshly-built `relicario_wasm*` output. Synchronize `wasm.d.ts` if there's any drift from the Plan 1B surface. + +### Task 1: Delete stale WASM artifacts + +**Files:** +- Delete: `extension/wasm/idfoto_wasm_bg.wasm` +- Delete: `extension/wasm/idfoto_wasm_bg.wasm.d.ts` +- Delete: `extension/wasm/idfoto_wasm.d.ts` +- Delete: `extension/wasm/idfoto_wasm.js` +- Delete: `extension/wasm/package.json` + +- [ ] **Step 1: Remove stale files** + +```bash +cd /home/alee/Sources/relicario/extension +rm -f wasm/idfoto_wasm_bg.wasm wasm/idfoto_wasm_bg.wasm.d.ts wasm/idfoto_wasm.d.ts wasm/idfoto_wasm.js wasm/package.json +``` + +- [ ] **Step 2: Verify directory is empty** + +Run: `ls extension/wasm/` +Expected: no output (empty directory). + +- [ ] **Step 3: Commit** + +```bash +cd /home/alee/Sources/relicario +git add -A extension/wasm/ +git commit -m "chore(ext): remove stale idfoto_wasm artifact" +``` + +### Task 2: Build the relicario-wasm artifact for the extension + +**Files:** +- Modify (generated): `extension/wasm/relicario_wasm.js` +- Modify (generated): `extension/wasm/relicario_wasm_bg.wasm` +- Modify (generated): `extension/wasm/relicario_wasm.d.ts` +- Modify (generated): `extension/wasm/relicario_wasm_bg.wasm.d.ts` +- Modify (generated): `extension/wasm/package.json` + +- [ ] **Step 1: Run the WASM build script** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build:wasm +``` + +The script invokes `wasm-pack build ../crates/relicario-wasm --target web --out-dir ../../extension/wasm`. Requires `wasm-pack` on PATH; if missing, install with `cargo install wasm-pack`. + +- [ ] **Step 2: Verify expected files exist** + +```bash +ls extension/wasm/ +``` + +Expected files: `relicario_wasm.js`, `relicario_wasm_bg.wasm`, `relicario_wasm.d.ts`, `relicario_wasm_bg.wasm.d.ts`, `package.json`. + +- [ ] **Step 3: Sanity-check the WASM binary is non-trivial** + +```bash +stat -c '%s' extension/wasm/relicario_wasm_bg.wasm +``` + +Expected: a multi-hundred-KB size (typical wasm-pack output with Argon2, XChaCha20, zxcvbn, bip39 is ~500KB–1.5MB). + +- [ ] **Step 4: Commit** + +```bash +git add extension/wasm/ +git commit -m "build(ext): rebuild WASM artifact as relicario_wasm" +``` + +### Task 3: Sync `extension/src/wasm.d.ts` with the generated declarations + +The hand-maintained `extension/src/wasm.d.ts` declares the WASM surface for the TS compiler. Verify it matches `crates/relicario-wasm/src/lib.rs` — the rebuilt artifact may reveal drift. + +**Files:** +- Modify: `extension/src/wasm.d.ts` + +- [ ] **Step 1: Compare existing declarations to Rust source** + +Read `extension/src/wasm.d.ts` and `crates/relicario-wasm/src/lib.rs`. Each `#[wasm_bindgen]` signature must have a corresponding TS declaration. + +Current file should already match (Plan 1B landed it). If any function is missing, add it. As of commit `65e0d3c` the expected surface is: + +```ts +// Thin TypeScript declarations for the relicario-wasm bindings. +// These are hand-written to mirror the #[wasm_bindgen] signatures in +// crates/relicario-wasm/src/lib.rs; keep them in sync manually. + +export class SessionHandle { + readonly value: number; + free(): void; +} + +export class EncryptedAttachment { + readonly aid: string; + readonly bytes: Uint8Array; + free(): void; +} + +export class TotpCode { + readonly code: string; + readonly expires_at: number; + free(): void; +} + +export function unlock( + passphrase: string, + image_bytes: Uint8Array, + salt: Uint8Array, + params_json: string, +): SessionHandle; + +export function lock(handle: SessionHandle): boolean; + +export function manifest_decrypt(handle: SessionHandle, encrypted: Uint8Array): unknown; +export function manifest_encrypt(handle: SessionHandle, manifest_json: string): Uint8Array; +export function item_decrypt(handle: SessionHandle, encrypted: Uint8Array): unknown; +export function item_encrypt(handle: SessionHandle, item_json: string): Uint8Array; +export function settings_decrypt(handle: SessionHandle, encrypted: Uint8Array): unknown; +export function settings_encrypt(handle: SessionHandle, settings_json: string): Uint8Array; + +export function attachment_encrypt( + handle: SessionHandle, + plaintext: Uint8Array, + max_bytes: bigint, +): EncryptedAttachment; +export function attachment_decrypt(handle: SessionHandle, encrypted: Uint8Array): Uint8Array; + +export function new_item_id(): string; +export function new_field_id(): string; + +export function generate_password(request_json: string): string; +export function generate_passphrase(request_json: string): string; +export function rate_passphrase(p: string): { score: number; guesses_log10: number }; + +export function extract_image_secret(image_bytes: Uint8Array): Uint8Array; +export function embed_image_secret(carrier: Uint8Array, secret: Uint8Array): Uint8Array; + +export function totp_compute(config_json: string, now_unix_seconds: bigint): TotpCode; + +// Initializer (wasm-bindgen's default init function). +export default function init(module_or_path?: unknown): Promise; +``` + +- [ ] **Step 2: Add `initSync` export declaration** + +The service worker `index.ts` also calls `initSync` (named export) for the Chrome MV3 path. Add this after the default export: + +```ts +// wasm-bindgen's sync init — Chrome MV3 service workers can't use dynamic import(). +export function initSync(args: { module: WebAssembly.Module }): void; +``` + +- [ ] **Step 3: Verify TS compile passes** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | head -40 +``` + +Expected: compilation proceeds (may still fail on the old `idfoto_wasm`-era callers in `service-worker/`; that's fine — the types file itself should not error). + +- [ ] **Step 4: Commit** + +```bash +git add extension/src/wasm.d.ts +git commit -m "build(ext): align wasm.d.ts with relicario-wasm surface" +``` + +--- + +## Slice 2 — Shared TS types and message unions + +Goal: rewrite `shared/types.ts` and `shared/messages.ts` to mirror the Rust typed-item serialization. This slice makes downstream TS fail to compile everywhere that still references `Entry` / `ManifestEntry` with `password` / `totp_secret` — that's expected; slices 3–6 fix the callers. + +### Task 4: Rewrite `shared/types.ts` with typed-item shapes + +**Files:** +- Modify: `extension/src/shared/types.ts` + +- [ ] **Step 1: Replace the entire file** + +```ts +/// Typed-item shared TypeScript types. +/// +/// These mirror the Rust core's serde serialization. See +/// crates/relicario-core/src/item.rs, item_types/, and settings.rs +/// for the source shapes. + +// --- IDs --- + +export type ItemId = string; // 16-char hex +export type FieldId = string; // 16-char hex +export type AttachmentId = string; // 16-char hex (sha256 of plaintext, truncated) + +// --- ItemType / ItemCore --- + +// snake_case from serde rename_all +export type ItemType = + | 'login' | 'secure_note' | 'identity' | 'card' | 'key' | 'document' | 'totp'; + +// ItemCore is internally-tagged on "type": +// Login → { type: 'login', username, password, url, totp } +export type ItemCore = + | ({ type: 'login' } & LoginCore) + | ({ type: 'secure_note' } & SecureNoteCore) + | ({ type: 'identity' } & IdentityCore) + | ({ type: 'card' } & CardCore) + | ({ type: 'key' } & KeyCore) + | ({ type: 'document' } & DocumentCore) + | ({ type: 'totp' } & TotpCore); + +// Optional fields use `?` because Rust #[serde(skip_serializing_if = "Option::is_none")] +// omits them from the JSON; serde_wasm_bindgen produces `undefined` on read. + +export interface LoginCore { + username?: string; + password?: string; + url?: string; + totp?: TotpConfig; +} + +export interface SecureNoteCore { body: string; } + +export interface IdentityCore { + full_name?: string; + address?: string; + phone?: string; + email?: string; + date_of_birth?: string; // "YYYY-MM-DD" +} + +export interface CardCore { + number?: string; + holder?: string; + expiry?: { month: number; year: number }; + cvv?: string; + pin?: string; + kind: CardKind; +} + +export type CardKind = 'credit' | 'debit' | 'gift' | 'loyalty' | 'other'; + +export interface KeyCore { + key_material: string; + label?: string; + public_key?: string; + algorithm?: string; +} + +export interface DocumentCore { + filename: string; + mime_type: string; + primary_attachment: AttachmentId; +} + +export interface TotpCore { + config: TotpConfig; + issuer?: string; + label?: string; +} + +// --- TOTP --- + +export type TotpKind = 'totp' | 'steam' | { hotp: { counter: number } }; + +export interface TotpConfig { + secret: number[]; // Vec → JSON number array + algorithm: 'sha1' | 'sha256' | 'sha512'; + digits: number; + period_seconds: number; + kind: TotpKind; +} + +// --- Sections + custom fields --- + +export interface Section { + name?: string; + fields: Field[]; +} + +export interface Field { + id: FieldId; + label: string; + kind: FieldKind; + value: FieldValue; + hidden_by_default: boolean; +} + +export type FieldKind = + | 'text' | 'multiline' | 'password' | 'concealed' | 'url' | 'email' + | 'phone' | 'date' | 'month_year' | 'totp' | 'reference'; + +// adjacently-tagged { tag: "kind", content: "value" } +export type FieldValue = + | { kind: 'text'; value: string } + | { kind: 'multiline'; value: string } + | { kind: 'password'; value: string } + | { kind: 'concealed'; value: string } + | { kind: 'url'; value: string } + | { kind: 'email'; value: string } + | { kind: 'phone'; value: string } + | { kind: 'date'; value: string } + | { kind: 'month_year'; value: { month: number; year: number } } + | { kind: 'totp'; value: TotpConfig } + | { kind: 'reference'; value: AttachmentId }; + +// --- Attachments + history --- + +export interface AttachmentRef { + id: AttachmentId; + filename: string; + mime_type: string; + size: number; + created: number; +} + +export interface FieldHistoryEntry { + value: string; + replaced_at: number; +} + +export interface AttachmentSummary { + id: AttachmentId; + filename: string; + mime_type: string; + size: number; +} + +// --- Item envelope --- + +export interface Item { + id: ItemId; + title: string; + type: ItemType; // Rust r#type → JSON key "type" + tags: string[]; + favorite: boolean; + group?: string; + notes?: string; + created: number; + modified: number; + trashed_at?: number; + core: ItemCore; + sections: Section[]; + attachments: AttachmentRef[]; + field_history: Record; +} + +// --- Manifest (schema_version 2) --- + +export interface Manifest { + schema_version: number; // 2 + items: Record; +} + +export interface ManifestEntry { + id: ItemId; + type: ItemType; + title: string; + tags: string[]; + favorite: boolean; + group?: string; + icon_hint?: string; + modified: number; + trashed_at?: number; + attachment_summaries: AttachmentSummary[]; +} + +// --- Vault settings (only the fields α touches) --- +// Full shape lives on the Rust side and in docs/superpowers/specs/2026-04-18-relicario-typed-items-design.md +// We leave retention/generator/caps opaque to α so we don't accidentally mutate them. + +export interface VaultSettings { + trash_retention: unknown; + field_history_retention: unknown; + generator_defaults: unknown; + attachment_caps: unknown; + autofill_origin_acks: Record; +} + +// --- Vault config (device-local) --- + +export interface VaultConfig { + hostType: 'gitea' | 'github'; + hostUrl: string; + repoPath: string; + apiToken: string; +} + +export interface SetupState { + config: VaultConfig | null; + imageBase64: string | null; + isConfigured: boolean; +} + +// --- Device-local UX settings (chrome.storage.local — renamed from RelicarioSettings) --- + +export interface DeviceSettings { + captureEnabled: boolean; + captureStyle: 'bar' | 'toast'; +} + +export const DEFAULT_DEVICE_SETTINGS: DeviceSettings = { + captureEnabled: false, + captureStyle: 'bar', +}; + +// --- Generator request (matches Rust GeneratorRequest — tag="kind") --- + +export type GeneratorRequest = + | { kind: 'bip39'; word_count: number; separator: string; capitalization: Capitalization } + | { kind: 'random'; length: number; classes: CharClasses; symbol_charset: SymbolCharset }; + +export type Capitalization = 'lower' | 'upper' | 'first_of_each' | 'title' | 'mixed'; +export interface CharClasses { lower: boolean; upper: boolean; digits: boolean; symbols: boolean; } +export type SymbolCharset = + | { kind: 'safe_only' } + | { kind: 'extended' } + | { kind: 'custom'; value: string }; + +// Default used by the α popup "gen" button: +export const DEFAULT_PASSWORD_REQUEST: GeneratorRequest = { + kind: 'random', + length: 20, + classes: { lower: true, upper: true, digits: true, symbols: true }, + symbol_charset: { kind: 'safe_only' }, +}; +``` + +- [ ] **Step 2: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/shared/types.ts +git commit -m "feat(ext): typed-item TS types mirroring relicario-core serde" +``` + +### Task 5: Rewrite `shared/messages.ts` with split unions + +**Files:** +- Modify: `extension/src/shared/messages.ts` + +- [ ] **Step 1: Replace the entire file** + +```ts +import type { + Item, ItemId, Manifest, ManifestEntry, VaultConfig, SetupState, + DeviceSettings, GeneratorRequest, +} from './types'; + +// --- Messages a popup (or setup page) may send --- + +export type PopupMessage = + | { type: 'is_unlocked' } + | { type: 'unlock'; passphrase: string } + | { type: 'lock' } + | { type: 'list_items'; group?: string } + | { type: 'get_item'; id: ItemId } + | { type: 'add_item'; item: Item } + | { type: 'update_item'; id: ItemId; item: Item } + | { type: 'delete_item'; id: ItemId } // soft-delete + | { type: 'get_totp'; id: ItemId } + | { type: 'sync' } + | { type: 'get_setup_state' } + | { type: 'save_setup'; config: VaultConfig; imageBase64: string } + | { type: 'rate_passphrase'; passphrase: string } + | { type: 'generate_password'; request: GeneratorRequest } + | { type: 'fill_credentials'; id: ItemId; capturedTabId: number; capturedUrl: string } + | { type: 'ack_autofill_origin'; hostname: string } + | { type: 'get_settings' } + | { type: 'update_settings'; settings: Partial } + | { type: 'get_blacklist' } + | { type: 'remove_blacklist'; hostname: string }; + +// --- Messages a content script may send --- + +// Note deliberate absence of a `url` field — the SW derives origin from sender.tab.url. + +export type ContentMessage = + | { type: 'get_autofill_candidates' } + | { type: 'get_credentials'; id: ItemId } + | { type: 'check_credential'; username: string; password: string } + | { type: 'blacklist_site' }; + +// --- Union for chrome.runtime.sendMessage call sites --- + +export type Request = PopupMessage | ContentMessage; + +// --- Response --- + +export type Response = + | { ok: true; data?: unknown } + | { ok: false; error: string }; + +// --- Typed response helpers --- + +export interface IsUnlockedResponse extends Extract { + data: { unlocked: boolean }; +} + +export interface ListItemsResponse extends Extract { + data: { items: Array<[ItemId, ManifestEntry]> }; +} + +export interface GetItemResponse extends Extract { + data: { item: Item }; +} + +export interface TotpResponse extends Extract { + data: { code: string; expires_at: number }; +} + +export interface AutofillCandidatesResponse extends Extract { + data: { candidates: Array<[ItemId, ManifestEntry]> }; +} + +export interface CredentialsResponse extends Extract { + data: + | { requires_ack: true; hostname: string } + | { username: string; password: string }; +} + +export interface SetupStateResponse extends Extract { + data: SetupState; +} + +export interface GeneratePasswordResponse extends Extract { + data: { password: string }; +} + +export interface RatePassphraseResponse extends Extract { + data: { score: number; guesses_log10: number }; +} + +// --- Capability sets (consumed by the router) --- + +export const POPUP_ONLY_TYPES: ReadonlySet = new Set([ + 'is_unlocked', 'unlock', 'lock', 'list_items', 'get_item', 'add_item', + 'update_item', 'delete_item', 'get_totp', 'sync', 'get_setup_state', + 'save_setup', 'rate_passphrase', 'generate_password', 'fill_credentials', + 'ack_autofill_origin', 'get_settings', 'update_settings', 'get_blacklist', + 'remove_blacklist', +] as PopupMessage['type'][]); + +export const CONTENT_CALLABLE_TYPES: ReadonlySet = new Set([ + 'get_autofill_candidates', 'get_credentials', 'check_credential', 'blacklist_site', +] as ContentMessage['type'][]); +``` + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/shared/messages.ts +git commit -m "feat(ext): split PopupMessage / ContentMessage unions + capability sets" +``` + +### Task 6: Add `shared/base32.ts` with encode/decode and tests + +**Files:** +- Create: `extension/src/shared/base32.ts` +- Create: `extension/src/shared/__tests__/base32.test.ts` + +This module is the minimum support the Login form needs to accept a base32-encoded TOTP secret string and format the re-encoded form for display. + +- [ ] **Step 1: Write the failing test** + +```ts +// extension/src/shared/__tests__/base32.test.ts +import { describe, expect, it } from 'vitest'; +import { base32Decode, base32Encode } from '../base32'; + +describe('base32', () => { + // RFC 4648 § 10 test vectors + it('encodes empty', () => expect(base32Encode(new Uint8Array())).toBe('')); + it('encodes "f"', () => expect(base32Encode(new TextEncoder().encode('f'))).toBe('MY')); + it('encodes "fo"', () => expect(base32Encode(new TextEncoder().encode('fo'))).toBe('MZXQ')); + it('encodes "foo"', () => expect(base32Encode(new TextEncoder().encode('foo'))).toBe('MZXW6')); + it('encodes "foob"', () => expect(base32Encode(new TextEncoder().encode('foob'))).toBe('MZXW6YQ')); + it('encodes "fooba"', () => expect(base32Encode(new TextEncoder().encode('fooba'))).toBe('MZXW6YTB')); + it('encodes "foobar"',() => expect(base32Encode(new TextEncoder().encode('foobar'))).toBe('MZXW6YTBOI')); + + it('decodes round-trip', () => { + const bytes = new Uint8Array([0x12, 0x34, 0x56, 0x78, 0x9a]); + expect(base32Decode(base32Encode(bytes))).toEqual(bytes); + }); + + it('decodes case-insensitively', () => { + expect(base32Decode('mzxw6')).toEqual(new TextEncoder().encode('foo')); + }); + + it('decodes ignoring whitespace and padding', () => { + expect(base32Decode('JBSW Y3DP EHPK 3PXP==')).toEqual( + base32Decode('JBSWY3DPEHPK3PXP'), + ); + }); + + it('throws on invalid characters', () => { + expect(() => base32Decode('MZ!W6')).toThrow(); + }); +}); +``` + +Note: Vitest is not installed yet; this test file will be run in slice 4 Task 15 where Vitest is wired up. For this task, just create the file so slice 2 stays compilation-clean. + +- [ ] **Step 2: Write `base32.ts`** + +```ts +/// Minimal RFC 4648 base32 encode/decode for TOTP secret parsing. +/// +/// Mirrors the encoder in crates/relicario-core/src/item.rs:base32_encode. +/// Decode is case-insensitive, tolerates whitespace and `=` padding. + +const ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'; + +export function base32Encode(bytes: Uint8Array): string { + let out = ''; + let buffer = 0; + let bits = 0; + for (const b of bytes) { + buffer = (buffer << 8) | b; + bits += 8; + while (bits >= 5) { + const idx = (buffer >> (bits - 5)) & 0x1f; + out += ALPHA[idx]; + bits -= 5; + } + } + if (bits > 0) { + const idx = (buffer << (5 - bits)) & 0x1f; + out += ALPHA[idx]; + } + return out; +} + +export function base32Decode(input: string): Uint8Array { + const cleaned = input.replace(/\s+/g, '').replace(/=+$/g, '').toUpperCase(); + const out: number[] = []; + let buffer = 0; + let bits = 0; + for (const ch of cleaned) { + const idx = ALPHA.indexOf(ch); + if (idx === -1) throw new Error(`base32: invalid character "${ch}"`); + buffer = (buffer << 5) | idx; + bits += 5; + if (bits >= 8) { + out.push((buffer >> (bits - 8)) & 0xff); + bits -= 8; + } + } + return new Uint8Array(out); +} +``` + +- [ ] **Step 3: Commit** + +```bash +git add extension/src/shared/base32.ts extension/src/shared/__tests__/base32.test.ts +git commit -m "feat(ext): base32 encode/decode for TOTP secret parse" +``` + +--- + +## Slice 3 — Service-worker session, vault, index + +Goal: rewrite the SW vault layer around the typed-item WASM surface using the opaque `SessionHandle`. `index.ts` temporarily keeps its single-function message handler (still flat, no router split yet — that's slice 4) but the handler's internals now call the new vault module. Login-parity is *not* yet in place; slice 6 wires that. This slice's success criterion is: `bun run build` succeeds. + +### Task 7: Create `service-worker/session.ts` + +**Files:** +- Create: `extension/src/service-worker/session.ts` + +- [ ] **Step 1: Write the file** + +```ts +/// Single module-scope "current" SessionHandle. +/// +/// α assumes one vault per extension install. The master key lives only +/// inside WASM linear memory (wrapped in Zeroizing<[u8;32]>); this module +/// just holds the opaque handle that names it. + +import type { SessionHandle } from '../../wasm/relicario_wasm'; + +let current: SessionHandle | null = null; + +export function setCurrent(h: SessionHandle): void { current = h; } + +export function getCurrent(): SessionHandle | null { return current; } + +export function requireCurrent(): SessionHandle { + if (!current) throw new Error('vault_locked'); + return current; +} + +export function clearCurrent(): void { + if (!current) return; + try { current.free(); } catch { /* already freed */ } + current = null; +} +``` + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/service-worker/session.ts +git commit -m "feat(ext/sw): SessionHandle lifecycle module" +``` + +### Task 8: Rewrite `service-worker/vault.ts` for typed items + +**Files:** +- Modify: `extension/src/service-worker/vault.ts` + +- [ ] **Step 1: Replace the entire file** + +```ts +/// Typed-item vault operations. All calls are handle-keyed — the master key +/// never crosses the WASM boundary. + +import type { SessionHandle } from '../../wasm/relicario_wasm'; +import type { GitHost } from './git-host'; +import type { Item, ItemId, Manifest, ManifestEntry, VaultSettings } from '../shared/types'; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +let wasm: any = null; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +export function setWasm(w: any): void { wasm = w; } + +function requireWasm(): any { + if (!wasm) throw new Error('WASM module not initialized'); + return wasm; +} + +export interface VaultMeta { + salt: Uint8Array; + paramsJson: string; +} + +export async function fetchVaultMeta(git: GitHost): Promise { + const saltBytes = await git.readFile('.relicario/salt'); + const paramsRaw = await git.readFile('.relicario/params.json'); + const paramsJson = new TextDecoder().decode(paramsRaw); + return { salt: saltBytes, paramsJson }; +} + +// --- Manifest --- + +export async function fetchAndDecryptManifest( + git: GitHost, + handle: SessionHandle, +): Promise { + const w = requireWasm(); + const ciphertext = await git.readFile('manifest.enc'); + return w.manifest_decrypt(handle, ciphertext) as Manifest; +} + +export async function encryptAndWriteManifest( + git: GitHost, + handle: SessionHandle, + manifest: Manifest, + message: string, +): Promise { + const w = requireWasm(); + const ciphertext = w.manifest_encrypt(handle, JSON.stringify(manifest)); + await git.writeFile('manifest.enc', ciphertext, message); +} + +// --- Items --- + +export async function fetchAndDecryptItem( + git: GitHost, + handle: SessionHandle, + id: ItemId, +): Promise { + const w = requireWasm(); + const ciphertext = await git.readFile(`items/${id}.enc`); + return w.item_decrypt(handle, ciphertext) as Item; +} + +export async function encryptAndWriteItem( + git: GitHost, + handle: SessionHandle, + id: ItemId, + item: Item, + message: string, +): Promise { + const w = requireWasm(); + const ciphertext = w.item_encrypt(handle, JSON.stringify(item)); + await git.writeFile(`items/${id}.enc`, ciphertext, message); +} + +// --- Settings (the α subset the SW reads/writes is autofill_origin_acks) --- + +export async function fetchAndDecryptSettings( + git: GitHost, + handle: SessionHandle, +): Promise { + const w = requireWasm(); + const ciphertext = await git.readFile('settings.enc'); + return w.settings_decrypt(handle, ciphertext) as VaultSettings; +} + +export async function encryptAndWriteSettings( + git: GitHost, + handle: SessionHandle, + settings: VaultSettings, + message: string, +): Promise { + const w = requireWasm(); + const ciphertext = w.settings_encrypt(handle, JSON.stringify(settings)); + await git.writeFile('settings.enc', ciphertext, message); +} + +// --- In-memory manifest helpers --- + +export function listItems( + manifest: Manifest, + group?: string, +): Array<[ItemId, ManifestEntry]> { + const entries = Object.entries(manifest.items) as Array<[ItemId, ManifestEntry]>; + // Hide trashed items from the default list view. + const live = entries.filter(([, e]) => e.trashed_at === undefined); + if (!group) return live; + const g = group.toLowerCase(); + return live.filter(([, e]) => e.group?.toLowerCase() === g); +} + +export function searchItems( + manifest: Manifest, + query: string, +): Array<[ItemId, ManifestEntry]> { + const q = query.toLowerCase(); + return (Object.entries(manifest.items) as Array<[ItemId, ManifestEntry]>) + .filter(([, e]) => e.trashed_at === undefined) + .filter(([, e]) => { + if (e.title.toLowerCase().includes(q)) return true; + if (e.tags.some((t) => t.toLowerCase().includes(q))) return true; + return false; + }); +} + +export function findByHostname( + manifest: Manifest, + hostname: string, +): Array<[ItemId, ManifestEntry]> { + const h = hostname.toLowerCase(); + return (Object.entries(manifest.items) as Array<[ItemId, ManifestEntry]>) + .filter(([, e]) => e.trashed_at === undefined) + .filter(([, e]) => (e.icon_hint ?? '').toLowerCase() === h); + // icon_hint is derived by Rust core from LoginCore.url's hostname, + // so hostname equality on icon_hint is the cheapest match. +} +``` + +- [ ] **Step 2: Verify TS compile passes for vault.ts** + +```bash +cd /home/alee/Sources/relicario/extension +bunx tsc --noEmit src/service-worker/vault.ts 2>&1 | head -20 +``` + +Expected: no errors originating inside `vault.ts`. Errors from consumers (like `index.ts`) are fine for now. + +- [ ] **Step 3: Commit** + +```bash +git add extension/src/service-worker/vault.ts +git commit -m "feat(ext/sw): typed-item vault ops via SessionHandle" +``` + +### Task 9: Rewire `service-worker/index.ts` for the new vault surface + +This is a transitional state — we keep the flat handler from today but replumb it against the new types. The router split lands in slice 4. + +**Files:** +- Modify: `extension/src/service-worker/index.ts` + +- [ ] **Step 1: Replace the file with the transitional (non-router) shape** + +```ts +/// Background script entry point for the relicario browser extension. +/// +/// Transitional slice-3 shape: keeps the flat onMessage listener but uses +/// the new typed-item vault + SessionHandle. The router split lands in +/// slice 4. + +import type { Request, Response } from '../shared/messages'; +import type { Item, ItemId, Manifest, VaultConfig, SetupState, DeviceSettings } from '../shared/types'; +import { DEFAULT_DEVICE_SETTINGS } from '../shared/types'; +import type { GitHost } from './git-host'; +import { createGitHost, base64ToUint8Array } from './git-host'; +import * as vault from './vault'; +import * as session from './session'; + +// --- WASM module load --- + +// @ts-ignore TS2307 — resolved by webpack alias / copy +import initDefault, { initSync } from '../../wasm/relicario_wasm.js'; +// @ts-ignore TS2307 +import * as wasmBindings from '../../wasm/relicario_wasm.js'; + +type WasmModule = typeof wasmBindings; +let wasm: WasmModule | null = null; + +async function initWasm(): Promise { + if (wasm) return wasm; + + // eslint-disable-next-line @typescript-eslint/no-explicit-any + const SWGlobalScope = (globalThis as any).ServiceWorkerGlobalScope as (new () => ServiceWorker) | undefined; + const isServiceWorker = typeof SWGlobalScope !== 'undefined' + && self instanceof (SWGlobalScope as unknown as typeof EventTarget); + + if (isServiceWorker) { + const wasmResponse = await fetch(chrome.runtime.getURL('relicario_wasm_bg.wasm')); + const wasmBytes = await wasmResponse.arrayBuffer(); + initSync({ module: new WebAssembly.Module(wasmBytes) }); + } else { + const wasmUrl = chrome.runtime.getURL('relicario_wasm_bg.wasm'); + await initDefault(wasmUrl); + } + + vault.setWasm(wasmBindings); + wasm = wasmBindings; + return wasm; +} + +// --- In-memory vault state (cleared on lock or SW restart) --- + +let manifest: Manifest | null = null; +let gitHost: GitHost | null = null; +const totpConfigCache: Map = new Map(); + +// --- chrome.storage.local helpers --- + +async function loadConfig(): Promise { + const result = await chrome.storage.local.get('vaultConfig'); + return (result.vaultConfig as VaultConfig) ?? null; +} + +async function loadImageBase64(): Promise { + const result = await chrome.storage.local.get('imageBase64'); + return (result.imageBase64 as string) ?? null; +} + +async function loadSetupState(): Promise { + const config = await loadConfig(); + const imageBase64 = await loadImageBase64(); + return { config, imageBase64, isConfigured: config !== null && imageBase64 !== null }; +} + +async function loadSettings(): Promise { + const result = await chrome.storage.local.get('relicarioSettings'); + return (result.relicarioSettings as DeviceSettings) ?? { ...DEFAULT_DEVICE_SETTINGS }; +} + +async function saveSettings(settings: DeviceSettings): Promise { + await chrome.storage.local.set({ relicarioSettings: settings }); +} + +async function loadBlacklist(): Promise { + const result = await chrome.storage.local.get('captureBlacklist'); + return (result.captureBlacklist as string[]) ?? []; +} + +async function saveBlacklist(list: string[]): Promise { + await chrome.storage.local.set({ captureBlacklist: list }); +} + +function ensureGitHost(config: VaultConfig): GitHost { + if (!gitHost) { + gitHost = createGitHost(config.hostType, config.hostUrl, config.repoPath, config.apiToken); + } + return gitHost; +} + +// --- Message handler (flat; router split in slice 4) --- + +chrome.runtime.onMessage.addListener( + (request: Request, _sender: chrome.runtime.MessageSender, sendResponse: (response: Response) => void) => { + handleMessage(request) + .then(sendResponse) + .catch((err: Error) => sendResponse({ ok: false, error: err.message })); + return true; + }, +); + +async function handleMessage(req: Request): Promise { + switch (req.type) { + case 'is_unlocked': + return { ok: true, data: { unlocked: session.getCurrent() !== null } }; + + case 'unlock': { + const w = await initWasm(); + const config = await loadConfig(); + if (!config) return { ok: false, error: 'Extension not configured. Run setup first.' }; + const imageB64 = await loadImageBase64(); + if (!imageB64) return { ok: false, error: 'Reference image not set. Run setup first.' }; + + const imageBytes = base64ToUint8Array(imageB64); + const git = ensureGitHost(config); + const meta = await vault.fetchVaultMeta(git); + + const handle = w.unlock(req.passphrase, imageBytes, meta.salt, meta.paramsJson); + session.setCurrent(handle); + // Clear passphrase from scope best-effort. + // (JS strings are immutable; the message object goes out of scope after return.) + (req as { passphrase: string }).passphrase = ''; + + manifest = await vault.fetchAndDecryptManifest(git, handle); + return { ok: true }; + } + + case 'lock': + session.clearCurrent(); + manifest = null; + totpConfigCache.clear(); + return { ok: true }; + + case 'list_items': { + if (!manifest) return { ok: false, error: 'vault_locked' }; + const items = vault.listItems(manifest, req.group); + return { ok: true, data: { items } }; + } + + case 'get_item': { + const handle = session.getCurrent(); + if (!handle || !gitHost) return { ok: false, error: 'vault_locked' }; + const item = await vault.fetchAndDecryptItem(gitHost, handle, req.id); + return { ok: true, data: { item } }; + } + + case 'add_item': { + const handle = session.getCurrent(); + if (!handle || !gitHost || !manifest) return { ok: false, error: 'vault_locked' }; + const w = await initWasm(); + const id = w.new_item_id(); + const item: Item = { ...req.item, id }; + + await vault.encryptAndWriteItem(gitHost, handle, id, item, `add: ${item.title}`); + manifest.items[id] = itemToManifestEntry(item); + await vault.encryptAndWriteManifest(gitHost, handle, manifest, `manifest: add ${item.title}`); + return { ok: true, data: { id } }; + } + + case 'update_item': { + const handle = session.getCurrent(); + if (!handle || !gitHost || !manifest) return { ok: false, error: 'vault_locked' }; + await vault.encryptAndWriteItem(gitHost, handle, req.id, req.item, `update: ${req.item.title}`); + manifest.items[req.id] = itemToManifestEntry(req.item); + await vault.encryptAndWriteManifest(gitHost, handle, manifest, `manifest: update ${req.item.title}`); + totpConfigCache.delete(req.id); + return { ok: true }; + } + + case 'delete_item': { + const handle = session.getCurrent(); + if (!handle || !gitHost || !manifest) return { ok: false, error: 'vault_locked' }; + const entry = manifest.items[req.id]; + if (!entry) return { ok: false, error: 'item_not_found' }; + // Soft-delete: fetch the item, set trashed_at, write it back. + const item = await vault.fetchAndDecryptItem(gitHost, handle, req.id); + const now = Math.floor(Date.now() / 1000); + const updated: Item = { ...item, trashed_at: now, modified: now }; + await vault.encryptAndWriteItem(gitHost, handle, req.id, updated, `trash: ${entry.title}`); + manifest.items[req.id] = { ...entry, trashed_at: now, modified: now }; + await vault.encryptAndWriteManifest(gitHost, handle, manifest, `manifest: trash ${entry.title}`); + return { ok: true }; + } + + case 'sync': { + const handle = session.getCurrent(); + if (!handle || !gitHost) return { ok: false, error: 'vault_locked' }; + manifest = await vault.fetchAndDecryptManifest(gitHost, handle); + return { ok: true }; + } + + case 'get_setup_state': { + return { ok: true, data: await loadSetupState() }; + } + + case 'save_setup': { + await chrome.storage.local.set({ + vaultConfig: req.config, + imageBase64: req.imageBase64, + }); + gitHost = null; + return { ok: true }; + } + + case 'rate_passphrase': { + const w = await initWasm(); + return { ok: true, data: w.rate_passphrase(req.passphrase) }; + } + + case 'generate_password': { + const w = await initWasm(); + const password = w.generate_password(JSON.stringify(req.request)); + return { ok: true, data: { password } }; + } + + case 'get_settings': + return { ok: true, data: { settings: await loadSettings() } }; + + case 'update_settings': { + const current = await loadSettings(); + await saveSettings({ ...current, ...req.settings }); + return { ok: true }; + } + + case 'get_blacklist': + return { ok: true, data: { blacklist: await loadBlacklist() } }; + + case 'remove_blacklist': { + const bl = await loadBlacklist(); + await saveBlacklist(bl.filter((h) => h !== req.hostname)); + return { ok: true }; + } + + // Slice 4 / 5 will wire these up properly (currently placeholders so the build passes): + case 'get_totp': + case 'fill_credentials': + case 'ack_autofill_origin': + case 'get_autofill_candidates': + case 'get_credentials': + case 'check_credential': + case 'blacklist_site': + return { ok: false, error: 'not_implemented_yet' }; + + default: { + const exhaustive: never = req; + return { ok: false, error: `unknown_message_type: ${(exhaustive as { type: string }).type}` }; + } + } +} + +function itemToManifestEntry(item: Item) { + return { + id: item.id, + type: item.type, + title: item.title, + tags: item.tags, + favorite: item.favorite, + group: item.group, + icon_hint: (item.core.type === 'login' && item.core.url) + ? safeHostname(item.core.url) : undefined, + modified: item.modified, + trashed_at: item.trashed_at, + attachment_summaries: item.attachments.map((a) => ({ + id: a.id, filename: a.filename, mime_type: a.mime_type, size: a.size, + })), + }; +} + +function safeHostname(url: string): string | undefined { + try { return new URL(url).hostname; } catch { return undefined; } +} +``` + +- [ ] **Step 2: Verify the extension compiles** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | tail -20 +``` + +Expected: webpack build succeeds. If there are TS errors in `popup/` or `content/`, they're pre-existing and will be resolved in slices 5–6. + +**If `bun run build` fails because popup/content still references the old `Entry` type**, that's expected — slice 3 intentionally breaks those callers. Workaround: add `// @ts-nocheck` at the top of the files that fail, in a separate commit labelled `chore(ext): silence popup/content errors until slice 6`. Remove the `@ts-nocheck` comments in slice 6 Task 22. + +- [ ] **Step 3: Commit** + +```bash +git add extension/src/service-worker/index.ts +git commit -m "feat(ext/sw): rewire flat handler onto typed-item vault + SessionHandle" +``` + +### Task 10: Item round-trip smoke test via CLI + +Goal: prove the TS types round-trip cleanly through the WASM `item_encrypt` / `item_decrypt` against a real CLI-written vault. This is a manual verification — formal automation waits on slice 4's Vitest setup. + +**Files:** no code changes. + +- [ ] **Step 1: Create a test vault with the CLI** + +```bash +cd /home/alee/Sources/relicario +mkdir -p /tmp/ext-test-vault && cd /tmp/ext-test-vault +git init +RELICARIO_TEST_PASSPHRASE='correct horse battery staple parapet' \ + RELICARIO_TEST_ITEM_SECRET=$(head -c 32 /dev/urandom | base64) \ + cargo run -p relicario-cli -- init --non-interactive --output /tmp/test-image.jpg +# Use the test image for re-open: +RELICARIO_TEST_PASSPHRASE='correct horse battery staple parapet' \ + cargo run -p relicario-cli -- add login --title 'GitHub' \ + --username alice --url https://github.com --password-stdin <<< 'hunter2' +ls items/ manifest.enc settings.enc +``` + +Expected: one item file, a manifest, and a settings file. + +- [ ] **Step 2: Load the extension's service worker in isolation and decrypt the item** + +Skip formal automation for α. Instead verify the wire format by reading the Rust-side JSON form and mentally comparing to `shared/types.ts`: + +```bash +cd /tmp/ext-test-vault +# Rely on the fact that encrypt_item round-trips in the Rust tests; +# this step is a placeholder for slice 4's Vitest harness. +``` + +- [ ] **Step 3: Commit the pre-flight findings if any types had to change** + +If the round-trip reveals drift (e.g. an optional field serialized differently than predicted), update `shared/types.ts` in a dedicated commit now rather than later. If nothing drifted, skip this step. + +--- + +## Slice 4 — Split router with sender checks + +Goal: split the flat handler in `index.ts` into three files (`router/index.ts`, `router/popup-only.ts`, `router/content-callable.ts`) with the sender-check dispatch from the spec. Wire up Vitest and write the router's acceptance/rejection matrix. + +### Task 11: Scaffold `router/popup-only.ts` (move existing handlers) + +**Files:** +- Create: `extension/src/service-worker/router/popup-only.ts` + +- [ ] **Step 1: Write the file** + +```ts +/// Popup-callable message handlers. +/// +/// Every export here assumes the router has already verified sender identity +/// via sender.url === popup.html (or setup.html for save_setup). + +import type { PopupMessage, Response } from '../../shared/messages'; +import type { Item, ItemId, Manifest, VaultConfig, SetupState, DeviceSettings } from '../../shared/types'; +import { DEFAULT_DEVICE_SETTINGS } from '../../shared/types'; +import type { GitHost } from '../git-host'; +import { createGitHost, base64ToUint8Array } from '../git-host'; +import * as vault from '../vault'; +import * as session from '../session'; + +// --- Shared ambient state owned by the SW module --- +// +// The router keeps these on a single `state` object and injects it into the +// handler so testing can mock them without reaching for globals. + +export interface PopupState { + manifest: Manifest | null; + gitHost: GitHost | null; + // eslint-disable-next-line @typescript-eslint/no-explicit-any + wasm: any; +} + +export async function handle( + msg: PopupMessage, + state: PopupState, + sender: chrome.runtime.MessageSender, +): Promise { + void sender; // unused in most branches; retained for symmetry with content-callable + switch (msg.type) { + case 'is_unlocked': + return { ok: true, data: { unlocked: session.getCurrent() !== null } }; + + case 'unlock': { + const w = state.wasm; + const config = await loadConfig(); + if (!config) return { ok: false, error: 'Extension not configured. Run setup first.' }; + const imageB64 = await loadImageBase64(); + if (!imageB64) return { ok: false, error: 'Reference image not set. Run setup first.' }; + + const imageBytes = base64ToUint8Array(imageB64); + if (!state.gitHost) state.gitHost = createGitHost(config.hostType, config.hostUrl, config.repoPath, config.apiToken); + const meta = await vault.fetchVaultMeta(state.gitHost); + + const handle = w.unlock(msg.passphrase, imageBytes, meta.salt, meta.paramsJson); + session.setCurrent(handle); + (msg as { passphrase: string }).passphrase = ''; + + state.manifest = await vault.fetchAndDecryptManifest(state.gitHost, handle); + return { ok: true }; + } + + case 'lock': + session.clearCurrent(); + state.manifest = null; + return { ok: true }; + + case 'list_items': { + if (!state.manifest) return { ok: false, error: 'vault_locked' }; + return { ok: true, data: { items: vault.listItems(state.manifest, msg.group) } }; + } + + case 'get_item': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost) return { ok: false, error: 'vault_locked' }; + const item = await vault.fetchAndDecryptItem(state.gitHost, handle, msg.id); + return { ok: true, data: { item } }; + } + + case 'add_item': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) return { ok: false, error: 'vault_locked' }; + const id = state.wasm.new_item_id(); + const item: Item = { ...msg.item, id }; + await vault.encryptAndWriteItem(state.gitHost, handle, id, item, `add: ${item.title}`); + state.manifest.items[id] = itemToManifestEntry(item); + await vault.encryptAndWriteManifest(state.gitHost, handle, state.manifest, `manifest: add ${item.title}`); + return { ok: true, data: { id } }; + } + + case 'update_item': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) return { ok: false, error: 'vault_locked' }; + await vault.encryptAndWriteItem(state.gitHost, handle, msg.id, msg.item, `update: ${msg.item.title}`); + state.manifest.items[msg.id] = itemToManifestEntry(msg.item); + await vault.encryptAndWriteManifest(state.gitHost, handle, state.manifest, `manifest: update ${msg.item.title}`); + return { ok: true }; + } + + case 'delete_item': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) return { ok: false, error: 'vault_locked' }; + const entry = state.manifest.items[msg.id]; + if (!entry) return { ok: false, error: 'item_not_found' }; + const item = await vault.fetchAndDecryptItem(state.gitHost, handle, msg.id); + const now = Math.floor(Date.now() / 1000); + const updated: Item = { ...item, trashed_at: now, modified: now }; + await vault.encryptAndWriteItem(state.gitHost, handle, msg.id, updated, `trash: ${entry.title}`); + state.manifest.items[msg.id] = { ...entry, trashed_at: now, modified: now }; + await vault.encryptAndWriteManifest(state.gitHost, handle, state.manifest, `manifest: trash ${entry.title}`); + return { ok: true }; + } + + case 'get_totp': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost) return { ok: false, error: 'vault_locked' }; + const item = await vault.fetchAndDecryptItem(state.gitHost, handle, msg.id); + if (item.core.type !== 'login' || !item.core.totp) { + return { ok: false, error: 'no_totp' }; + } + const now = Math.floor(Date.now() / 1000); + const code = state.wasm.totp_compute(JSON.stringify(item.core.totp), BigInt(now)); + return { ok: true, data: { code: code.code, expires_at: code.expires_at } }; + } + + case 'sync': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost) return { ok: false, error: 'vault_locked' }; + state.manifest = await vault.fetchAndDecryptManifest(state.gitHost, handle); + return { ok: true }; + } + + case 'get_setup_state': + return { ok: true, data: await loadSetupState() }; + + case 'save_setup': { + await chrome.storage.local.set({ + vaultConfig: msg.config, + imageBase64: msg.imageBase64, + }); + state.gitHost = null; + return { ok: true }; + } + + case 'rate_passphrase': + return { ok: true, data: state.wasm.rate_passphrase(msg.passphrase) }; + + case 'generate_password': { + const password = state.wasm.generate_password(JSON.stringify(msg.request)); + return { ok: true, data: { password } }; + } + + case 'fill_credentials': + return handleFillCredentials(msg, state); + + case 'ack_autofill_origin': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost) return { ok: false, error: 'vault_locked' }; + const settings = await vault.fetchAndDecryptSettings(state.gitHost, handle); + const acks = { ...(settings.autofill_origin_acks ?? {}), [msg.hostname]: Math.floor(Date.now() / 1000) }; + const updated = { ...settings, autofill_origin_acks: acks }; + await vault.encryptAndWriteSettings(state.gitHost, handle, updated, `settings: ack origin ${msg.hostname}`); + return { ok: true }; + } + + case 'get_settings': + return { ok: true, data: { settings: await loadDeviceSettings() } }; + + case 'update_settings': { + const current = await loadDeviceSettings(); + await saveDeviceSettings({ ...current, ...msg.settings }); + return { ok: true }; + } + + case 'get_blacklist': + return { ok: true, data: { blacklist: await loadBlacklist() } }; + + case 'remove_blacklist': { + const bl = await loadBlacklist(); + await saveBlacklist(bl.filter((h) => h !== msg.hostname)); + return { ok: true }; + } + } +} + +// --- fill_credentials with captured-tab verification (audit M5) --- + +async function handleFillCredentials( + msg: Extract, + state: PopupState, +): Promise { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) return { ok: false, error: 'vault_locked' }; + + let tab: chrome.tabs.Tab; + try { tab = await chrome.tabs.get(msg.capturedTabId); } + catch { return { ok: false, error: 'captured_tab_gone' }; } + + const currentHost = safeHostname(tab.url ?? ''); + const capturedHost = safeHostname(msg.capturedUrl); + if (!currentHost || !capturedHost || currentHost !== capturedHost) { + return { ok: false, error: 'tab_navigated' }; + } + + const item = await vault.fetchAndDecryptItem(state.gitHost, handle, msg.id); + if (item.core.type !== 'login') return { ok: false, error: 'not_a_login' }; + const itemHost = safeHostname(item.core.url ?? ''); + if (!itemHost || itemHost !== currentHost) return { ok: false, error: 'origin_mismatch' }; + + await chrome.tabs.sendMessage(msg.capturedTabId, { + type: 'fill_credentials', + username: item.core.username ?? '', + password: item.core.password ?? '', + }); + return { ok: true }; +} + +// --- chrome.storage.local helpers (module-scoped so all handlers share) --- + +async function loadConfig(): Promise { + const r = await chrome.storage.local.get('vaultConfig'); + return (r.vaultConfig as VaultConfig) ?? null; +} + +async function loadImageBase64(): Promise { + const r = await chrome.storage.local.get('imageBase64'); + return (r.imageBase64 as string) ?? null; +} + +async function loadSetupState(): Promise { + const config = await loadConfig(); + const imageBase64 = await loadImageBase64(); + return { config, imageBase64, isConfigured: config !== null && imageBase64 !== null }; +} + +async function loadDeviceSettings(): Promise { + const r = await chrome.storage.local.get('relicarioSettings'); + return (r.relicarioSettings as DeviceSettings) ?? { ...DEFAULT_DEVICE_SETTINGS }; +} + +async function saveDeviceSettings(s: DeviceSettings): Promise { + await chrome.storage.local.set({ relicarioSettings: s }); +} + +async function loadBlacklist(): Promise { + const r = await chrome.storage.local.get('captureBlacklist'); + return (r.captureBlacklist as string[]) ?? []; +} + +async function saveBlacklist(list: string[]): Promise { + await chrome.storage.local.set({ captureBlacklist: list }); +} + +// --- Manifest entry derivation (duplicated from index; kept here to keep handler self-contained) --- + +function itemToManifestEntry(item: Item) { + return { + id: item.id, + type: item.type, + title: item.title, + tags: item.tags, + favorite: item.favorite, + group: item.group, + icon_hint: (item.core.type === 'login' && item.core.url) + ? safeHostname(item.core.url) : undefined, + modified: item.modified, + trashed_at: item.trashed_at, + attachment_summaries: item.attachments.map((a) => ({ + id: a.id, filename: a.filename, mime_type: a.mime_type, size: a.size, + })), + }; +} + +function safeHostname(url: string): string | undefined { + try { return new URL(url).hostname; } catch { return undefined; } +} +``` + +- [ ] **Step 2: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/service-worker/router/popup-only.ts +git commit -m "feat(ext/sw): router/popup-only handlers" +``` + +### Task 12: Create `router/content-callable.ts` + +**Files:** +- Create: `extension/src/service-worker/router/content-callable.ts` + +- [ ] **Step 1: Write the file** + +```ts +/// Content-script-callable message handlers. +/// +/// Origin is always derived from sender.tab.url — never trust fields on msg. +/// Router has already verified sender.frameId === 0 (top-frame only) and +/// sender.tab !== undefined. + +import type { ContentMessage, Response } from '../../shared/messages'; +import type { Manifest } from '../../shared/types'; +import type { GitHost } from '../git-host'; +import * as vault from '../vault'; +import * as session from '../session'; + +export interface ContentState { + manifest: Manifest | null; + gitHost: GitHost | null; +} + +export async function handle( + msg: ContentMessage, + state: ContentState, + sender: chrome.runtime.MessageSender, +): Promise { + const senderHost = safeHostname(sender.tab?.url ?? ''); + if (!senderHost) return { ok: false, error: 'invalid_sender_url' }; + + switch (msg.type) { + case 'get_autofill_candidates': { + if (!state.manifest) return { ok: false, error: 'vault_locked' }; + return { + ok: true, + data: { candidates: vault.findByHostname(state.manifest, senderHost) }, + }; + } + + case 'get_credentials': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) return { ok: false, error: 'vault_locked' }; + + const item = await vault.fetchAndDecryptItem(state.gitHost, handle, msg.id); + if (item.core.type !== 'login') return { ok: false, error: 'not_a_login' }; + const itemHost = safeHostname(item.core.url ?? ''); + if (!itemHost || itemHost !== senderHost) return { ok: false, error: 'origin_mismatch' }; + + // TOFU origin-ack check (VaultSettings.autofill_origin_acks): + const settings = await vault.fetchAndDecryptSettings(state.gitHost, handle); + const acks = settings.autofill_origin_acks ?? {}; + if (!(senderHost in acks)) { + return { ok: true, data: { requires_ack: true, hostname: senderHost } }; + } + + return { + ok: true, + data: { + username: item.core.username ?? '', + password: item.core.password ?? '', + }, + }; + } + + case 'check_credential': { + const handle = session.getCurrent(); + if (!handle || !state.gitHost || !state.manifest) { + return { ok: true, data: { action: 'skip' } }; + } + + // Settings-gating: capture off or site blacklisted → skip. + const captureSettings = await loadDeviceSettings(); + if (!captureSettings.captureEnabled) return { ok: true, data: { action: 'skip' } }; + + const blacklist = await loadBlacklist(); + if (blacklist.includes(senderHost)) return { ok: true, data: { action: 'skip' } }; + + const candidates = vault.findByHostname(state.manifest, senderHost); + if (candidates.length === 0) return { ok: true, data: { action: 'save' } }; + + for (const [itemId, entry] of candidates) { + if (entry.type !== 'login') continue; + const full = await vault.fetchAndDecryptItem(state.gitHost, handle, itemId); + if (full.core.type !== 'login') continue; + if (full.core.username === msg.username) { + if (full.core.password === msg.password) return { ok: true, data: { action: 'skip' } }; + return { ok: true, data: { action: 'update', entryId: itemId, entryName: entry.title } }; + } + } + return { ok: true, data: { action: 'save' } }; + } + + case 'blacklist_site': { + const bl = await loadBlacklist(); + if (!bl.includes(senderHost)) { + bl.push(senderHost); + await saveBlacklist(bl); + } + return { ok: true }; + } + } +} + +async function loadDeviceSettings(): Promise<{ captureEnabled: boolean; captureStyle: 'bar' | 'toast' }> { + const r = await chrome.storage.local.get('relicarioSettings'); + return (r.relicarioSettings as { captureEnabled: boolean; captureStyle: 'bar' | 'toast' }) + ?? { captureEnabled: false, captureStyle: 'bar' }; +} + +async function loadBlacklist(): Promise { + const r = await chrome.storage.local.get('captureBlacklist'); + return (r.captureBlacklist as string[]) ?? []; +} + +async function saveBlacklist(list: string[]): Promise { + await chrome.storage.local.set({ captureBlacklist: list }); +} + +function safeHostname(url: string): string | undefined { + try { return new URL(url).hostname; } catch { return undefined; } +} +``` + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/service-worker/router/content-callable.ts +git commit -m "feat(ext/sw): router/content-callable handlers with origin derivation" +``` + +### Task 13: Create `router/index.ts` dispatcher + +**Files:** +- Create: `extension/src/service-worker/router/index.ts` + +- [ ] **Step 1: Write the file** + +```ts +/// Single chrome.runtime.onMessage entry. Classifies the sender and dispatches +/// to popup-only or content-callable handlers. Unauthorized senders are +/// rejected with { ok: false, error: 'unauthorized_sender' }. + +import type { Request, Response } from '../../shared/messages'; +import { POPUP_ONLY_TYPES, CONTENT_CALLABLE_TYPES } from '../../shared/messages'; +import type { Manifest } from '../../shared/types'; +import type { GitHost } from '../git-host'; +import * as popupOnly from './popup-only'; +import * as contentCallable from './content-callable'; + +export interface RouterState { + manifest: Manifest | null; + gitHost: GitHost | null; + // eslint-disable-next-line @typescript-eslint/no-explicit-any + wasm: any; +} + +export async function route( + msg: Request, + state: RouterState, + sender: chrome.runtime.MessageSender, +): Promise { + const popupUrl = chrome.runtime.getURL('popup.html'); + const setupUrl = chrome.runtime.getURL('setup.html'); + const senderUrl = sender.url ?? ''; + + const isPopup = senderUrl === popupUrl; + const isSetup = senderUrl.startsWith(setupUrl); + const isContent = sender.tab !== undefined + && sender.frameId === 0 + && sender.id === chrome.runtime.id; + + if (POPUP_ONLY_TYPES.has(msg.type as never)) { + // save_setup gets one exception: allowed from the setup tab too. + if (!(isPopup || (msg.type === 'save_setup' && isSetup))) { + return { ok: false, error: 'unauthorized_sender' }; + } + return popupOnly.handle(msg as never, state, sender); + } + + if (CONTENT_CALLABLE_TYPES.has(msg.type as never)) { + if (!isContent) return { ok: false, error: 'unauthorized_sender' }; + return contentCallable.handle(msg as never, state, sender); + } + + return { ok: false, error: 'unknown_message_type' }; +} +``` + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/service-worker/router/index.ts +git commit -m "feat(ext/sw): router index with sender-based dispatch" +``` + +### Task 14: Collapse `service-worker/index.ts` onto the router + +**Files:** +- Modify: `extension/src/service-worker/index.ts` + +- [ ] **Step 1: Replace the file** + +```ts +/// Thin service-worker entry: loads WASM, constructs the router state, and +/// forwards every message into router/index.route(). + +import type { Request, Response } from '../shared/messages'; +import type { RouterState } from './router/index'; +import { route } from './router/index'; +import * as vault from './vault'; + +// @ts-ignore TS2307 — resolved by webpack alias / copy +import initDefault, { initSync } from '../../wasm/relicario_wasm.js'; +// @ts-ignore TS2307 +import * as wasmBindings from '../../wasm/relicario_wasm.js'; + +type WasmModule = typeof wasmBindings; +let wasm: WasmModule | null = null; + +async function initWasm(): Promise { + if (wasm) return wasm; + + // eslint-disable-next-line @typescript-eslint/no-explicit-any + const SWGlobalScope = (globalThis as any).ServiceWorkerGlobalScope as (new () => ServiceWorker) | undefined; + const isServiceWorker = typeof SWGlobalScope !== 'undefined' + && self instanceof (SWGlobalScope as unknown as typeof EventTarget); + + if (isServiceWorker) { + const wasmResponse = await fetch(chrome.runtime.getURL('relicario_wasm_bg.wasm')); + const wasmBytes = await wasmResponse.arrayBuffer(); + initSync({ module: new WebAssembly.Module(wasmBytes) }); + } else { + const wasmUrl = chrome.runtime.getURL('relicario_wasm_bg.wasm'); + await initDefault(wasmUrl); + } + + vault.setWasm(wasmBindings); + wasm = wasmBindings; + return wasm; +} + +// Single router-state object shared by all messages for this SW instance. +const state: RouterState = { + manifest: null, + gitHost: null, + wasm: null, +}; + +chrome.runtime.onMessage.addListener( + (request: Request, sender: chrome.runtime.MessageSender, sendResponse: (r: Response) => void) => { + (async () => { + if (!state.wasm) state.wasm = await initWasm(); + return route(request, state, sender); + })() + .then(sendResponse) + .catch((err: Error) => sendResponse({ ok: false, error: err.message })); + return true; // async response + }, +); +``` + +- [ ] **Step 2: Verify both builds pass** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | tail -15 +bun run build:firefox 2>&1 | tail -15 +``` + +Expected: both succeed. The popup/content callers compiled in slice 3 remain under their `@ts-nocheck` shields until slice 6. + +- [ ] **Step 3: Commit** + +```bash +git add extension/src/service-worker/index.ts +git commit -m "feat(ext/sw): collapse flat index onto router" +``` + +### Task 15: Wire Vitest + router test suite + +**Files:** +- Modify: `extension/package.json` +- Create: `extension/vitest.config.ts` +- Create: `extension/src/service-worker/router/__tests__/router.test.ts` + +- [ ] **Step 1: Add Vitest to devDependencies** + +```bash +cd /home/alee/Sources/relicario/extension +bun add -d vitest@^2.0 happy-dom@^15 +``` + +- [ ] **Step 2: Add `test` script to `package.json`** + +In `extension/package.json`, add under `scripts`: + +```json +"test": "vitest run", +"test:watch": "vitest" +``` + +- [ ] **Step 3: Create `vitest.config.ts`** + +```ts +import { defineConfig } from 'vitest/config'; + +export default defineConfig({ + test: { + environment: 'happy-dom', + include: ['src/**/__tests__/**/*.test.ts'], + }, +}); +``` + +- [ ] **Step 4: Write `router.test.ts`** + +```ts +import { beforeEach, describe, expect, it, vi } from 'vitest'; +import { route, type RouterState } from '../index'; +import type { Request } from '../../../shared/messages'; + +// --- chrome.* shim --- + +// @ts-expect-error test harness +globalThis.chrome = { + runtime: { + id: 'relicario-test-id', + getURL: (p: string) => `chrome-extension://relicario-test-id/${p}`, + }, + storage: { local: { get: vi.fn().mockResolvedValue({}), set: vi.fn().mockResolvedValue(undefined) } }, + tabs: { get: vi.fn(), sendMessage: vi.fn() }, +}; + +function makePopupSender(): chrome.runtime.MessageSender { + return { url: `chrome-extension://relicario-test-id/popup.html`, id: 'relicario-test-id' }; +} + +function makeSetupSender(): chrome.runtime.MessageSender { + return { url: `chrome-extension://relicario-test-id/setup.html`, id: 'relicario-test-id' }; +} + +function makeContentSender(pageUrl = 'https://example.com/'): chrome.runtime.MessageSender { + return { + tab: { id: 42, url: pageUrl } as chrome.tabs.Tab, + frameId: 0, + id: 'relicario-test-id', + }; +} + +function makeExternalSender(): chrome.runtime.MessageSender { + return { url: 'https://evil.example/', id: 'some-other-extension' }; +} + +function makeState(): RouterState { + return { + manifest: { schema_version: 2, items: {} }, + gitHost: null, + wasm: { + // Stubs sufficient for the message types exercised by tests: + new_item_id: () => 'fakeitemid0000ab', + generate_password: () => 'PASSWORD', + rate_passphrase: () => ({ score: 4, guesses_log10: 15 }), + }, + }; +} + +// --- Sender-check matrix --- + +describe('router sender dispatch', () => { + let state: RouterState; + beforeEach(() => { state = makeState(); }); + + const popupOnlyMsgs: Request[] = [ + { type: 'is_unlocked' }, + { type: 'lock' }, + { type: 'list_items' }, + { type: 'generate_password', request: { kind: 'random', length: 20, classes: { lower: true, upper: true, digits: true, symbols: true }, symbol_charset: { kind: 'safe_only' } } }, + { type: 'rate_passphrase', passphrase: 'hunter2hunter2hunter2' }, + { type: 'get_blacklist' }, + ]; + + for (const msg of popupOnlyMsgs) { + it(`accepts popup-only "${msg.type}" from popup`, async () => { + const res = await route(msg, state, makePopupSender()); + expect(res).toMatchObject({ ok: true }); + }); + it(`rejects popup-only "${msg.type}" from content`, async () => { + const res = await route(msg, state, makeContentSender()); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + it(`rejects popup-only "${msg.type}" from external`, async () => { + const res = await route(msg, state, makeExternalSender()); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + } + + it('accepts save_setup from popup', async () => { + const msg: Request = { type: 'save_setup', config: { hostType: 'github', hostUrl: '', repoPath: '', apiToken: '' }, imageBase64: '' }; + const res = await route(msg, state, makePopupSender()); + expect(res).toMatchObject({ ok: true }); + }); + + it('accepts save_setup from setup tab', async () => { + const msg: Request = { type: 'save_setup', config: { hostType: 'github', hostUrl: '', repoPath: '', apiToken: '' }, imageBase64: '' }; + const res = await route(msg, state, makeSetupSender()); + expect(res).toMatchObject({ ok: true }); + }); + + it('rejects save_setup from content', async () => { + const msg: Request = { type: 'save_setup', config: { hostType: 'github', hostUrl: '', repoPath: '', apiToken: '' }, imageBase64: '' }; + const res = await route(msg, state, makeContentSender()); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + + const contentMsgs: Request[] = [ + { type: 'get_autofill_candidates' }, + { type: 'blacklist_site' }, + ]; + + for (const msg of contentMsgs) { + it(`accepts content "${msg.type}" from top-frame content`, async () => { + const res = await route(msg, state, makeContentSender()); + expect(res.ok).toBe(true); + }); + it(`rejects content "${msg.type}" from popup`, async () => { + const res = await route(msg, state, makePopupSender()); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + it(`rejects content "${msg.type}" from subframe`, async () => { + const sender: chrome.runtime.MessageSender = { ...makeContentSender(), frameId: 3 }; + const res = await route(msg, state, sender); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + it(`rejects content "${msg.type}" from external`, async () => { + const res = await route(msg, state, makeExternalSender()); + expect(res).toEqual({ ok: false, error: 'unauthorized_sender' }); + }); + } + + it('rejects unknown message type', async () => { + // @ts-expect-error intentional invalid type + const res = await route({ type: 'nonsense' }, state, makePopupSender()); + expect(res).toEqual({ ok: false, error: 'unknown_message_type' }); + }); +}); + +// --- Origin-bound autofill --- + +describe('get_autofill_candidates uses sender.tab.url', () => { + it('derives hostname from sender, not message', async () => { + const state: RouterState = makeState(); + state.manifest = { + schema_version: 2, + items: { + 'aaaaaaaaaaaaaaaa': { + id: 'aaaaaaaaaaaaaaaa', type: 'login', title: 'GitHub', + tags: [], favorite: false, icon_hint: 'github.com', + modified: 0, attachment_summaries: [], + }, + 'bbbbbbbbbbbbbbbb': { + id: 'bbbbbbbbbbbbbbbb', type: 'login', title: 'Example', + tags: [], favorite: false, icon_hint: 'example.com', + modified: 0, attachment_summaries: [], + }, + }, + }; + const res = await route( + { type: 'get_autofill_candidates' }, + state, + makeContentSender('https://example.com/login'), + ); + expect(res.ok).toBe(true); + if (res.ok) { + const data = res.data as { candidates: Array<[string, { title: string }]> }; + expect(data.candidates).toHaveLength(1); + expect(data.candidates[0][1].title).toBe('Example'); + } + }); +}); +``` + +- [ ] **Step 5: Run the router tests** + +```bash +cd /home/alee/Sources/relicario/extension +bun run test 2>&1 | tail -30 +``` + +Expected: all tests pass. base32 tests (Task 6) also run in this pass. + +- [ ] **Step 6: Commit** + +```bash +git add extension/package.json extension/bun.lock extension/vitest.config.ts extension/src/service-worker/router/__tests__/router.test.ts +git commit -m "test(ext): vitest + router sender-check + origin-bound autofill" +``` + +--- + +## Slice 5 — Security hardening + +Goal: the remaining security items — manifest WAR cleanup, setup.html opened via `chrome.tabs.create` (not WAR), closed Shadow DOM in content scripts, popup captured-tab snapshot on init. + +### Task 16: Manifest WAR cleanup for Chrome + Firefox + +**Files:** +- Modify: `extension/manifest.json` +- Modify: `extension/manifest.firefox.json` + +- [ ] **Step 1: Edit Chrome manifest** + +Replace `web_accessible_resources` with the minimal set. If `styles.css` isn't used from pages (check `content/*.ts` for any `chrome.runtime.getURL('styles.css')`), drop it entirely. + +```bash +cd /home/alee/Sources/relicario +grep -rn "styles.css" extension/src/ +``` + +If no hits from content scripts, target shape: + +```json +"web_accessible_resources": [] +``` + +Or omit the field. For Chrome MV3 an empty array is permitted but the field can be removed entirely. Test both — some versions of chrome prefer absence. + +Edit `extension/manifest.json`: change the `web_accessible_resources` block to: + +```json +"web_accessible_resources": [] +``` + +- [ ] **Step 2: Edit Firefox manifest the same way** + +In `extension/manifest.firefox.json`: + +```json +"web_accessible_resources": [] +``` + +- [ ] **Step 3: Commit** + +```bash +git add extension/manifest.json extension/manifest.firefox.json +git commit -m "feat(ext): drop setup.html / wasm from web_accessible_resources (audit C1)" +``` + +### Task 17: Popup + setup open via `chrome.tabs.create` + +**Files:** +- Modify: `extension/src/popup/popup.ts` + +This is only relevant if the popup currently navigates to `chrome.runtime.getURL('setup.html')`. Today it does via `setup-wizard.ts`. Change it to open a new tab instead. + +- [ ] **Step 1: Locate the current setup navigation** + +```bash +cd /home/alee/Sources/relicario +grep -rn "setup.html\|setup-wizard" extension/src/popup/ | head -10 +``` + +- [ ] **Step 2: Update popup.ts init to open setup in a tab when not configured** + +Find the `init()` function in `extension/src/popup/popup.ts`. Replace the branch `if (!data.isConfigured) { navigate('setup'); return; }` with: + +```ts +if (!data.isConfigured) { + await chrome.tabs.create({ url: chrome.runtime.getURL('setup.html') }); + window.close(); + return; +} +``` + +- [ ] **Step 3: Remove the `setup` view from the popup state machine** + +Search for all `navigate('setup')` calls in `extension/src/popup/components/*.ts` and replace each with: + +```ts +await chrome.tabs.create({ url: chrome.runtime.getURL('setup.html') }); +window.close(); +``` + +Remove `'setup'` from the `View` union in `popup.ts`: + +```ts +export type View = 'locked' | 'list' | 'detail' | 'add' | 'edit' | 'settings'; +``` + +Remove the `case 'setup':` branch from `render()`. + +Delete the file `extension/src/popup/components/setup-wizard.ts` (it referenced the old Entry type; the standalone setup flow in `src/setup/setup.ts` handles all setup UX now). + +- [ ] **Step 4: Rebuild** + +```bash +cd extension +bun run build 2>&1 | tail -10 +``` + +Expected: build passes. If setup-wizard.ts is still referenced anywhere, remove the import. + +- [ ] **Step 5: Commit** + +```bash +cd /home/alee/Sources/relicario +git add -A extension/src/popup/ +git commit -m "feat(ext/popup): open setup via chrome.tabs.create, drop setup view from popup" +``` + +### Task 18: Closed Shadow DOM helper + content-script rewrite (capture) + +**Files:** +- Create: `extension/src/content/shadow.ts` +- Modify: `extension/src/content/capture.ts` + +- [ ] **Step 1: Create the shadow host helper** + +```ts +// extension/src/content/shadow.ts +/// Creates a closed Shadow DOM host attached to document.body. +/// Page JS cannot read host.shadowRoot (it's null from outside) and our +/// rendered DOM has no stable IDs. + +export interface ShadowSurface { + host: HTMLElement; + root: ShadowRoot; + destroy: () => void; +} + +export function createShadowHost(): ShadowSurface { + const host = document.createElement('div'); + host.dataset.rel = ''; // no identifying class/id + document.body.appendChild(host); + const root = host.attachShadow({ mode: 'closed' }); + return { host, root, destroy: () => host.remove() }; +} +``` + +- [ ] **Step 2: Rewrite `content/capture.ts` to use the shadow host + textContent** + +Replace the entire file: + +```ts +/// Credential capture: hook form submissions; if the submitted credentials +/// aren't already in the vault (or differ), prompt the user to save/update. +/// +/// All page UI lives inside a closed Shadow DOM with textContent-only DOM +/// construction. No stable IDs, no innerHTML. + +import type { Request, Response } from '../shared/messages'; +import type { DeviceSettings } from '../shared/types'; +import { createShadowHost } from './shadow'; + +const hookedForms = new WeakSet(); +const hookedButtons = new WeakSet(); + +function sendMessage(request: Request): Promise { + return new Promise((resolve) => chrome.runtime.sendMessage(request, (r: Response) => resolve(r))); +} + +/// Bounded, control-char-free username scrape. +function findUsernameValue(pwField: HTMLInputElement): string { + const form = pwField.closest('form'); + const scope = form ?? document; + const inputs = scope.querySelectorAll('input'); + + for (const input of inputs) { + if (input === pwField) continue; + if (input.autocomplete === 'username' && input.value) return sanitize(input.value); + } + for (const input of inputs) { + if (input === pwField) continue; + if (input.autocomplete === 'email' && input.value) return sanitize(input.value); + } + for (const input of inputs) { + if (input === pwField) continue; + if (input.type === 'email' && input.value) return sanitize(input.value); + } + const pattern = /user|email|login|account/i; + for (const input of inputs) { + if (input === pwField) continue; + if (input.type === 'hidden' || input.type === 'password') continue; + if ((pattern.test(input.name) || pattern.test(input.id)) && input.value) return sanitize(input.value); + } + const allInputs = Array.from(inputs); + const pwIndex = allInputs.indexOf(pwField); + for (let i = pwIndex - 1; i >= 0; i--) { + const input = allInputs[i]; + if (input.type === 'hidden' || input.type === 'password' || input.type === 'submit') continue; + if (input.offsetWidth > 0 && input.offsetHeight > 0 && input.value) return sanitize(input.value); + } + return ''; +} + +function sanitize(s: string): string { + return s.replace(/\p{Cc}/gu, '').slice(0, 256); +} + +let currentPrompt: ShadowSurface | null = null; + +async function onFormSubmit(pwField: HTMLInputElement): Promise { + const password = pwField.value; + if (!password) return; + + const username = findUsernameValue(pwField); + const resp = await sendMessage({ type: 'check_credential', username, password }); + if (!resp.ok) return; + + const data = resp.data as { action: 'skip' | 'save' | 'update'; entryId?: string; entryName?: string }; + if (data.action === 'skip') return; + + const settingsResp = await sendMessage({ type: 'get_settings' }); + const settings: DeviceSettings = settingsResp.ok + ? (settingsResp.data as { settings: DeviceSettings }).settings + : { captureEnabled: true, captureStyle: 'bar' }; + + showPrompt(settings.captureStyle, data.action, username, password, data.entryId); +} + +type ShadowSurface = ReturnType; + +function removeExistingPrompt(): void { + currentPrompt?.destroy(); + currentPrompt = null; +} + +function showPrompt( + style: 'bar' | 'toast', + action: 'save' | 'update', + username: string, + password: string, + entryId?: string, +): void { + removeExistingPrompt(); + currentPrompt = createShadowHost(); + const { root, host } = currentPrompt; + + // Style the host itself (positioning) so page CSS can't override via specificity. + const positioning = style === 'bar' + ? 'position:fixed;top:0;left:0;right:0;z-index:2147483647;transform:translateY(-100%);transition:transform .3s;' + : 'position:fixed;bottom:16px;right:16px;z-index:2147483647;opacity:0;transition:opacity .3s;'; + host.setAttribute('style', positioning); + + // Shadow root style sheet — single static literal, no injected values. + const style0 = document.createElement('style'); + style0.textContent = ` + .box { font-family: system-ui, sans-serif; font-size: 13px; color: #c9d1d9; + background: #161b22; padding: 10px 16px; display: flex; align-items: center; + gap: 12px; border: 1px solid #30363d; border-radius: 4px; + box-shadow: 0 4px 12px rgba(0,0,0,0.4); line-height: 1.4; } + .host { color: #58a6ff; font-weight: 600; } + .btn-primary { background: #1f6feb; color: #fff; border: none; padding: 5px 14px; + border-radius: 3px; cursor: pointer; font: inherit; } + .btn-secondary { background: transparent; color: #8b949e; border: 1px solid #30363d; + padding: 5px 10px; border-radius: 3px; cursor: pointer; font: inherit; } + .btn-close { background: transparent; color: #8b949e; border: none; cursor: pointer; + padding: 2px 6px; font: inherit; } + .msg { flex: 1; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; } + `; + root.appendChild(style0); + + const box = document.createElement('div'); + box.className = 'box'; + + const msg = document.createElement('span'); + msg.className = 'msg'; + const actionLabel = action === 'update' ? 'Update' : 'Save'; + const hostname = window.location.hostname; + msg.appendChild(document.createTextNode(`${actionLabel} login for `)); + const hostSpan = document.createElement('span'); + hostSpan.className = 'host'; + hostSpan.textContent = hostname; + msg.appendChild(hostSpan); + if (username) msg.appendChild(document.createTextNode(` (${username})?`)); + else msg.appendChild(document.createTextNode('?')); + + const saveBtn = document.createElement('button'); + saveBtn.className = 'btn-primary'; + saveBtn.textContent = actionLabel; + + const neverBtn = document.createElement('button'); + neverBtn.className = 'btn-secondary'; + neverBtn.textContent = 'Never'; + + const closeBtn = document.createElement('button'); + closeBtn.className = 'btn-close'; + closeBtn.textContent = '✕'; + + box.appendChild(msg); + box.appendChild(saveBtn); + box.appendChild(neverBtn); + box.appendChild(closeBtn); + root.appendChild(box); + + // Animate in + requestAnimationFrame(() => { + if (style === 'bar') host.style.transform = 'translateY(0)'; + else host.style.opacity = '1'; + }); + + let autoDismissTimer: ReturnType | null = null; + if (style === 'toast') { + autoDismissTimer = setTimeout(() => removeExistingPrompt(), 15_000); + } + const clearAutoDismiss = (): void => { if (autoDismissTimer) clearTimeout(autoDismissTimer); }; + + saveBtn.addEventListener('click', async () => { + clearAutoDismiss(); + const now = Math.floor(Date.now() / 1000); + const item = { + id: '', title: hostname, type: 'login' as const, tags: [], favorite: false, + created: now, modified: now, + core: { type: 'login' as const, username, password, url: window.location.origin }, + sections: [], attachments: [], field_history: {}, + }; + if (action === 'update' && entryId) { + await sendMessage({ type: 'update_item', id: entryId, item }); + } else { + await sendMessage({ type: 'add_item', item }); + } + msg.textContent = '✓ Saved'; + saveBtn.style.display = 'none'; + neverBtn.style.display = 'none'; + setTimeout(() => removeExistingPrompt(), 1500); + }); + + neverBtn.addEventListener('click', async () => { + clearAutoDismiss(); + await sendMessage({ type: 'blacklist_site' }); + removeExistingPrompt(); + }); + + closeBtn.addEventListener('click', () => { + clearAutoDismiss(); + removeExistingPrompt(); + }); +} + +export function hookForms(): void { + const passwordFields = document.querySelectorAll('input[type="password"]'); + for (const pwField of passwordFields) { + if (pwField.offsetWidth < 20 || pwField.offsetHeight < 10) continue; + const form = pwField.closest('form'); + if (form && !hookedForms.has(form)) { + hookedForms.add(form); + form.addEventListener('submit', () => { onFormSubmit(pwField); }); + } + const scope = form ?? pwField.parentElement; + if (!scope) continue; + const buttons = scope.querySelectorAll('button[type="submit"], input[type="submit"], button:not([type])'); + for (const btn of buttons) { + if (hookedButtons.has(btn)) continue; + hookedButtons.add(btn); + btn.addEventListener('click', () => { onFormSubmit(pwField); }); + } + } +} +``` + +- [ ] **Step 3: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/content/shadow.ts extension/src/content/capture.ts +git commit -m "feat(ext/content): closed Shadow DOM + textContent for capture prompt" +``` + +### Task 19: Closed Shadow DOM for icon + picker + +**Files:** +- Modify: `extension/src/content/icon.ts` + +- [ ] **Step 1: Replace the file** + +```ts +/// Inject a small "id" icon next to password fields. Clicking it queries for +/// autofill candidates and either fills or shows a picker — both rendered in +/// closed Shadow DOMs attached to document.body (not as page-DOM children). + +import type { ManifestEntry } from '../shared/types'; +import { createShadowHost } from './shadow'; + +const injected = new WeakSet(); + +export function injectFieldIcons( + passwordField: HTMLInputElement, + _usernameField: HTMLInputElement | null, +): void { + if (injected.has(passwordField)) return; + injected.add(passwordField); + + const iconSurface = createShadowHost(); + // Position the host over the password field. + const rect = passwordField.getBoundingClientRect(); + Object.assign(iconSurface.host.style, { + position: 'fixed', + top: `${rect.top + rect.height / 2 - 10}px`, + left: `${rect.right - 28}px`, + width: '20px', + height: '20px', + zIndex: '2147483647', + }); + + const style = document.createElement('style'); + style.textContent = ` + .i { width: 20px; height: 20px; line-height: 20px; text-align: center; + font: 700 10px monospace; color: #fff; background: #1f6feb; + border-radius: 3px; cursor: pointer; user-select: none; } + `; + iconSurface.root.appendChild(style); + + const icon = document.createElement('div'); + icon.className = 'i'; + icon.textContent = 'id'; + iconSurface.root.appendChild(icon); + + // Keep icon positioned across scroll/resize. + const reposition = (): void => { + const r = passwordField.getBoundingClientRect(); + iconSurface.host.style.top = `${r.top + r.height / 2 - 10}px`; + iconSurface.host.style.left = `${r.right - 28}px`; + }; + window.addEventListener('scroll', reposition, true); + window.addEventListener('resize', reposition); + + icon.addEventListener('click', async (e) => { + e.preventDefault(); + e.stopPropagation(); + const resp = await chrome.runtime.sendMessage({ type: 'get_autofill_candidates' }); + if (!resp || !resp.ok) return; + const candidates = resp.data.candidates as Array<[string, ManifestEntry]>; + if (candidates.length === 0) return; + if (candidates.length === 1) { + const [id] = candidates[0]; + // Popup-captured tab logic doesn't apply here — this is a direct in-page click; + // the SW enforces origin check via sender.tab.url on get_credentials. + const credResp = await chrome.runtime.sendMessage({ type: 'get_credentials', id }); + if (credResp?.ok) { + const d = credResp.data as { requires_ack?: true; hostname?: string; username?: string; password?: string }; + if (d.requires_ack) { + showAckMessage(iconSurface.host, d.hostname ?? window.location.hostname); + return; + } + chrome.runtime.sendMessage({ + type: 'fill_credentials', + username: d.username, + password: d.password, + }); + } + } else { + showPicker(iconSurface.host, candidates); + } + }); +} + +function showPicker(anchor: HTMLElement, candidates: Array<[string, ManifestEntry]>): void { + // Reuse the anchor's shadow host by mounting a dropdown below it. + const pickerSurface = createShadowHost(); + const r = anchor.getBoundingClientRect(); + Object.assign(pickerSurface.host.style, { + position: 'fixed', top: `${r.bottom + 4}px`, left: `${r.right - 200}px`, + zIndex: '2147483647', + }); + + const style = document.createElement('style'); + style.textContent = ` + .p { background:#161b22;border:1px solid #30363d;border-radius:6px; + box-shadow:0 4px 12px rgba(0,0,0,.4);min-width:200px;max-height:200px; + overflow-y:auto;font-family:system-ui,sans-serif;font-size:12px;color:#c9d1d9; } + .row { padding:8px 12px;cursor:pointer;border-bottom:1px solid #21262d; } + .row:hover { background:#21262d; } + `; + pickerSurface.root.appendChild(style); + + const container = document.createElement('div'); + container.className = 'p'; + pickerSurface.root.appendChild(container); + + for (const [id, entry] of candidates) { + const row = document.createElement('div'); + row.className = 'row'; + row.textContent = entry.title; // title only; could append group/tags later + row.addEventListener('click', async (e) => { + e.stopPropagation(); + pickerSurface.destroy(); + const credResp = await chrome.runtime.sendMessage({ type: 'get_credentials', id }); + if (credResp?.ok) { + const d = credResp.data as { requires_ack?: true; hostname?: string; username?: string; password?: string }; + if (d.requires_ack) { + showAckMessage(anchor, d.hostname ?? window.location.hostname); + return; + } + chrome.runtime.sendMessage({ type: 'fill_credentials', username: d.username, password: d.password }); + } + }); + container.appendChild(row); + } + + const closeOnOutside = (): void => { + pickerSurface.destroy(); + document.removeEventListener('click', closeOnOutside, true); + }; + setTimeout(() => document.addEventListener('click', closeOnOutside, true), 0); +} + +function showAckMessage(anchor: HTMLElement, hostname: string): void { + const surface = createShadowHost(); + const r = anchor.getBoundingClientRect(); + Object.assign(surface.host.style, { + position: 'fixed', top: `${r.bottom + 4}px`, left: `${r.right - 240}px`, + zIndex: '2147483647', + }); + const style = document.createElement('style'); + style.textContent = ` + .box { background:#161b22;border:1px solid #30363d;border-radius:6px; + padding:10px 12px;color:#c9d1d9;font-family:system-ui,sans-serif; + font-size:12px;max-width:240px;box-shadow:0 4px 12px rgba(0,0,0,.4); } + .host { color:#58a6ff; } + `; + surface.root.appendChild(style); + const box = document.createElement('div'); + box.className = 'box'; + const line1 = document.createElement('div'); + line1.appendChild(document.createTextNode('First autofill on ')); + const hostSpan = document.createElement('span'); + hostSpan.className = 'host'; + hostSpan.textContent = hostname; + line1.appendChild(hostSpan); + const line2 = document.createElement('div'); + line2.textContent = 'Open the relicario popup to confirm, then click again.'; + box.appendChild(line1); + box.appendChild(line2); + surface.root.appendChild(box); + setTimeout(() => surface.destroy(), 5000); +} +``` + +Note this task edits `icon.ts` to include the TOFU `requires_ack` check surface. It also removes the old dependence on `url` passed from content → SW for `get_autofill_candidates` (the SW now derives it). + +- [ ] **Step 2: Rebuild** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | tail -10 +``` + +Expected: build passes. Content/detector.ts and content/fill.ts are untouched. + +- [ ] **Step 3: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/content/icon.ts +git commit -m "feat(ext/content): closed Shadow DOM for autofill icon + picker + ack hint" +``` + +### Task 20: Popup captured-tab snapshot on init + +**Files:** +- Modify: `extension/src/popup/popup.ts` + +- [ ] **Step 1: Add captured-tab fields to PopupState** + +At the top of `popup.ts`, extend the state type: + +```ts +export interface PopupState { + view: View; + entries: Array<[string, import('../shared/types').ManifestEntry]>; + selectedId: string | null; + selectedItem: import('../shared/types').Item | null; + selectedIndex: number; + searchQuery: string; + activeGroup: string | null; + error: string | null; + loading: boolean; + capturedTabId: number | null; + capturedUrl: string; +} +``` + +Update the initializer and `setState`/`navigate` to preserve these. + +- [ ] **Step 2: Snapshot the active tab at init** + +In `init()` after the setup-state check, before the unlock branch, add: + +```ts +const [tab] = await chrome.tabs.query({ active: true, currentWindow: true }); +currentState.capturedTabId = tab?.id ?? null; +currentState.capturedUrl = tab?.url ?? ''; +``` + +- [ ] **Step 3: Commit** + +```bash +git add extension/src/popup/popup.ts +git commit -m "feat(ext/popup): snapshot activeTab at popup-open for fill_credentials (audit M5)" +``` + +--- + +## Slice 6 — Login-parity popup + zxcvbn setup + Firefox verification + +Goal: delete the `@ts-nocheck` shields, rewire the popup components onto `Item::Login`, add the zxcvbn strength meter to the setup wizard, verify both Chrome and Firefox. + +### Task 21: Rename popup components `entry-*` → `item-*` + +**Files:** +- Move: `extension/src/popup/components/entry-list.ts` → `item-list.ts` +- Move: `extension/src/popup/components/entry-detail.ts` → `item-detail.ts` +- Move: `extension/src/popup/components/entry-form.ts` → `item-form.ts` + +- [ ] **Step 1: Rename the files (preserving git history)** + +```bash +cd /home/alee/Sources/relicario +git mv extension/src/popup/components/entry-list.ts extension/src/popup/components/item-list.ts +git mv extension/src/popup/components/entry-detail.ts extension/src/popup/components/item-detail.ts +git mv extension/src/popup/components/entry-form.ts extension/src/popup/components/item-form.ts +``` + +- [ ] **Step 2: Update imports in `popup.ts`** + +Replace the three imports: + +```ts +import { renderItemList } from './components/item-list'; +import { renderItemDetail } from './components/item-detail'; +import { renderItemForm } from './components/item-form'; +``` + +And the three `case 'list' / 'detail' / 'add'|'edit'` render calls. + +- [ ] **Step 3: Commit the rename only (no content changes yet)** + +```bash +git commit -m "refactor(ext/popup): rename entry-* → item-* components" +``` + +### Task 22: Rewrite `item-list.ts` for ManifestEntry v2 + +**Files:** +- Modify: `extension/src/popup/components/item-list.ts` + +- [ ] **Step 1: Replace the file body with the v2 list renderer** + +Locate the file and replace its content. The new list view should: + +- Read `state.entries: Array<[ItemId, ManifestEntry]>` (already populated in `popup.ts:init()` via `list_items`). +- Render each row with: type-icon glyph, title, group (if set), tags inline, a ★ for favorites. +- Filter by `state.searchQuery` (case-insensitive against title + tags). +- Clicking a row dispatches `sendMessage({ type: 'get_item', id })` and navigates to `detail`. +- Add a "New…" button that navigates to `add` (defaulting to `login` type for α). + +Target structure (abbreviated — fill in HTML/CSS matching existing `styles.css` classes): + +```ts +import { getState, setState, sendMessage, navigate, escapeHtml } from '../popup'; +import type { ManifestEntry } from '../../shared/types'; + +export async function renderItemList(app: HTMLElement): Promise { + const state = getState(); + const q = state.searchQuery.toLowerCase(); + const filtered = state.entries.filter(([, e]) => + e.title.toLowerCase().includes(q) || e.tags.some((t) => t.toLowerCase().includes(q)) + ); + + app.innerHTML = ` +
+
+ + + + + +
+
    + ${filtered.map(([id, e]) => row(id, e)).join('')} +
+
+ `; + + document.getElementById('search')?.addEventListener('input', (ev) => { + setState({ searchQuery: (ev.target as HTMLInputElement).value }); + }); + document.getElementById('new-btn')?.addEventListener('click', () => navigate('add')); + document.getElementById('sync-btn')?.addEventListener('click', async () => { + await sendMessage({ type: 'sync' }); + const res = await sendMessage({ type: 'list_items' }); + if (res.ok) setState({ entries: (res.data as { items: Array<[string, ManifestEntry]> }).items }); + }); + document.getElementById('lock-btn')?.addEventListener('click', async () => { + await sendMessage({ type: 'lock' }); + navigate('locked'); + }); + document.getElementById('settings-btn')?.addEventListener('click', () => navigate('settings')); + + for (const [id] of filtered) { + document.querySelector(`[data-id="${id}"]`)?.addEventListener('click', async () => { + const res = await sendMessage({ type: 'get_item', id }); + if (res.ok) { + const item = (res.data as { item: import('../../shared/types').Item }).item; + setState({ selectedId: id, selectedItem: item }); + navigate('detail'); + } + }); + } +} + +function row(id: string, e: ManifestEntry): string { + const icon = iconFor(e.type); + const star = e.favorite ? '★' : ''; + const tags = e.tags.length > 0 ? `${e.tags.map(escapeHtml).join(' ')}` : ''; + return ` +
  • + ${icon} + ${escapeHtml(e.title)} + ${e.group ? `${escapeHtml(e.group)}` : ''} + ${tags} + ${star} +
    • + `; +} + +function iconFor(t: string): string { + switch (t) { + case 'login': return '🔑'; + case 'secure_note': return '📝'; + case 'identity': return '🪪'; + case 'card': return '💳'; + case 'key': return '🗝'; + case 'document': return '📄'; + case 'totp': return '⏱'; + default: return '◇'; + } +} +``` + +Remove any `@ts-nocheck` comment that was added earlier. + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/popup/components/item-list.ts extension/src/popup/popup.ts +git commit -m "feat(ext/popup): typed-item list view" +``` + +### Task 23: Rewrite `item-detail.ts` — Login detail + coming-soon for others + +**Files:** +- Modify: `extension/src/popup/components/item-detail.ts` + +- [ ] **Step 1: Replace the file** + +```ts +import { getState, setState, sendMessage, navigate, escapeHtml } from '../popup'; +import type { Item } from '../../shared/types'; +import { base32Encode } from '../../shared/base32'; + +export async function renderItemDetail(app: HTMLElement): Promise { + const state = getState(); + const item = state.selectedItem; + if (!item) { navigate('list'); return; } + + switch (item.type) { + case 'login': renderLogin(app, item); return; + case 'secure_note': + case 'identity': + case 'card': + case 'key': + case 'document': + case 'totp': renderComingSoon(app, item); return; + } +} + +function renderLogin(app: HTMLElement, item: Item): void { + if (item.core.type !== 'login') return; + const { username, password, url, totp } = item.core; + + app.innerHTML = ` +
    +
    ${escapeHtml(item.title)}
    +
    username ${escapeHtml(username ?? '')}
    +
    password ••••••
    + ${url ? `
    url ${escapeHtml(url)}
    ` : ''} + ${totp ? `
    totp
    ` : ''} + ${item.notes ? `
    notes ${escapeHtml(item.notes)}
    ` : ''} +
    + + + + +
    +
    + `; + + let revealed = false; + document.getElementById('reveal-pass')?.addEventListener('click', () => { + revealed = !revealed; + const d = document.getElementById('d-pass')!; + d.textContent = revealed ? (password ?? '') : '••••••'; + (document.getElementById('reveal-pass') as HTMLButtonElement).textContent = revealed ? 'hide' : 'show'; + }); + document.getElementById('copy-user')?.addEventListener('click', () => navigator.clipboard.writeText(username ?? '')); + document.getElementById('copy-pass')?.addEventListener('click', () => navigator.clipboard.writeText(password ?? '')); + document.getElementById('back-btn')?.addEventListener('click', () => navigate('list')); + document.getElementById('edit-btn')?.addEventListener('click', () => navigate('edit')); + document.getElementById('del-btn')?.addEventListener('click', async () => { + if (!confirm(`Move "${item.title}" to trash?`)) return; + await sendMessage({ type: 'delete_item', id: item.id }); + const res = await sendMessage({ type: 'list_items' }); + if (res.ok) setState({ entries: (res.data as any).items, selectedItem: null, selectedId: null }); + navigate('list'); + }); + document.getElementById('fill-btn')?.addEventListener('click', async () => { + const { capturedTabId, capturedUrl } = getState(); + if (capturedTabId === null) return; + await sendMessage({ type: 'fill_credentials', id: item.id, capturedTabId, capturedUrl }); + window.close(); + }); + + if (totp) { + const tick = async (): Promise => { + const r = await sendMessage({ type: 'get_totp', id: item.id }); + if (!r.ok) return; + const { code, expires_at } = r.data as { code: string; expires_at: number }; + const codeSpan = document.getElementById('d-totp'); + const expSpan = document.getElementById('d-totp-exp'); + if (codeSpan) codeSpan.textContent = code; + if (expSpan) expSpan.textContent = `(${Math.max(0, expires_at - Math.floor(Date.now() / 1000))}s)`; + }; + tick(); + const id = setInterval(tick, 1000); + window.addEventListener('hashchange', () => clearInterval(id)); + } + void base32Encode; // silence unused — used in item-form.ts +} + +function renderComingSoon(app: HTMLElement, item: Item): void { + app.innerHTML = ` +
    +
    ${escapeHtml(item.title)}
    +

    The ${escapeHtml(item.type)} item type is coming in Plan 1C-β.

    +

    Use the CLI for now: relicario get ${escapeHtml(item.id)} --show

    + +
    + `; + document.getElementById('back-btn')?.addEventListener('click', () => navigate('list')); +} +``` + +- [ ] **Step 2: Commit** + +```bash +git add extension/src/popup/components/item-detail.ts +git commit -m "feat(ext/popup): Login detail view + coming-soon for other types" +``` + +### Task 24: Rewrite `item-form.ts` — Login add/edit + +**Files:** +- Modify: `extension/src/popup/components/item-form.ts` + +- [ ] **Step 1: Replace the file** + +```ts +import { getState, setState, sendMessage, navigate, escapeHtml } from '../popup'; +import type { Item, ItemType } from '../../shared/types'; +import { DEFAULT_PASSWORD_REQUEST } from '../../shared/types'; +import { base32Decode, base32Encode } from '../../shared/base32'; + +export async function renderItemForm(app: HTMLElement, mode: 'add' | 'edit'): Promise { + const state = getState(); + const item = mode === 'edit' ? state.selectedItem : null; + const type: ItemType = item?.type ?? 'login'; + + if (type !== 'login') { + app.innerHTML = ` +
    +
    ${mode === 'add' ? 'new item' : 'edit item'}
    +

    Editing ${escapeHtml(type)} items is coming in 1C-β.

    + +
    + `; + document.getElementById('back-btn')?.addEventListener('click', () => navigate('list')); + return; + } + + const existing = item && item.core.type === 'login' ? item.core : null; + const totpB32 = existing?.totp ? base32Encode(new Uint8Array(existing.totp.secret)) : ''; + + app.innerHTML = ` +
    +
    ${mode === 'add' ? 'new login' : 'edit login'}
    + ${state.error ? `
    ${escapeHtml(state.error)}
    ` : ''} +
    + + +
    +
    + + +
    +
    + + +
    +
    + +
    + + +
    +
    +
    + + +
    +
    + + +
    +
    + + +
    +
    + + +
    +
    + `; + + document.getElementById('gen-btn')?.addEventListener('click', async () => { + const resp = await sendMessage({ type: 'generate_password', request: DEFAULT_PASSWORD_REQUEST }); + if (resp.ok) { + const pw = (resp.data as { password: string }).password; + (document.getElementById('f-pass') as HTMLInputElement).value = pw; + } + }); + + document.getElementById('cancel-btn')?.addEventListener('click', () => { + setState({ error: null }); + navigate(mode === 'edit' ? 'detail' : 'list'); + }); + + document.getElementById('save-btn')?.addEventListener('click', async () => { + const title = (document.getElementById('f-title') as HTMLInputElement).value.trim(); + if (!title) { setState({ error: 'title is required' }); return; } + const url = (document.getElementById('f-url') as HTMLInputElement).value.trim() || undefined; + const username = (document.getElementById('f-user') as HTMLInputElement).value.trim() || undefined; + const password = (document.getElementById('f-pass') as HTMLInputElement).value || undefined; + const totpStr = (document.getElementById('f-totp') as HTMLInputElement).value.trim(); + const group = (document.getElementById('f-group') as HTMLInputElement).value.trim() || undefined; + const notes = (document.getElementById('f-notes') as HTMLTextAreaElement).value.trim() || undefined; + + let totpConfig: import('../../shared/types').TotpConfig | undefined; + if (totpStr) { + try { + const secretBytes = base32Decode(totpStr); + totpConfig = { + secret: Array.from(secretBytes), + algorithm: 'sha1', + digits: 6, + period_seconds: 30, + kind: 'totp', + }; + } catch (e) { setState({ error: `invalid TOTP secret: ${(e as Error).message}` }); return; } + } + + const now = Math.floor(Date.now() / 1000); + const payload: Item = { + id: item?.id ?? '', + title, + type: 'login', + tags: item?.tags ?? [], + favorite: item?.favorite ?? false, + group, + notes, + created: item?.created ?? now, + modified: now, + core: { type: 'login', username, password, url, totp: totpConfig }, + sections: item?.sections ?? [], + attachments: item?.attachments ?? [], + field_history: item?.field_history ?? {}, + }; + + const res = mode === 'edit' && item + ? await sendMessage({ type: 'update_item', id: item.id, item: payload }) + : await sendMessage({ type: 'add_item', item: payload }); + + if (!res.ok) { setState({ error: res.error }); return; } + + const listRes = await sendMessage({ type: 'list_items' }); + if (listRes.ok) { + setState({ + entries: (listRes.data as any).items, + error: null, + }); + } + navigate('list'); + }); +} +``` + +- [ ] **Step 2: Rebuild and commit** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | tail -10 +cd .. +git add extension/src/popup/components/item-form.ts +git commit -m "feat(ext/popup): Login add/edit form on typed-item API" +``` + +### Task 25: Setup wizard zxcvbn meter + +**Files:** +- Modify: `extension/src/setup/setup.ts` + +- [ ] **Step 1: Locate the passphrase input in `setup.ts`** + +Read `extension/src/setup/setup.ts` to find where the passphrase `` is rendered and where the submit button is wired. + +- [ ] **Step 2: Wire the strength meter** + +Add next to the passphrase input (in the HTML template): + +```html +
    + + +
    +
    + +
    +

    +
    +``` + +Add CSS for the bar (5 segments, color-coded): + +```css +.strength-bar { display:flex;gap:2px;height:6px;width:100%;margin-top:4px; } +.strength-bar > span { flex:1;background:#30363d;border-radius:1px; } +.strength-bar.s0 > span:nth-child(1) { background:#f85149; } +.strength-bar.s1 > span:nth-child(-n+2) { background:#f0883e; } +.strength-bar.s2 > span:nth-child(-n+3) { background:#d29922; } +.strength-bar.s3 > span:nth-child(-n+4) { background:#3fb950; } +.strength-bar.s4 > span { background:#3fb950; } +.strength-row { display:flex;align-items:center;gap:8px; } +``` + +Add the meter rendering to the setup wizard (5 segments as child spans): + +```ts +function renderStrengthBar(score: number): string { + return `
    + +
    `; +} +``` + +Add the input-change handler: + +```ts +let rateDebounce: ReturnType | null = null; +const pwInput = document.getElementById('passphrase') as HTMLInputElement; +pwInput.addEventListener('input', () => { + if (rateDebounce) clearTimeout(rateDebounce); + rateDebounce = setTimeout(async () => { + const pw = pwInput.value; + if (!pw) { setMeter(0, '—', 'type a passphrase'); return; } + const resp = await new Promise((resolve) => + chrome.runtime.sendMessage({ type: 'rate_passphrase', passphrase: pw }, resolve), + ); + if (resp.ok) { + const { score } = resp.data as { score: number }; + const feedback = score >= 3 + ? 'Strong enough.' + : 'Too weak — try a longer phrase or add unpredictability.'; + setMeter(score, `score ${score}/4`, feedback); + (document.getElementById('submit-btn') as HTMLButtonElement).disabled = score < 3; + } + }, 150); +}); + +function setMeter(score: number, label: string, feedback: string): void { + const bar = document.getElementById('strength-bar'); + if (bar) bar.className = `strength-bar s${score}`; + const lab = document.getElementById('strength-label'); + if (lab) lab.textContent = label; + const fb = document.getElementById('strength-feedback'); + if (fb) fb.textContent = feedback; +} +``` + +Initial submit-button state: `disabled = true` until score ≥ 3. + +- [ ] **Step 3: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/setup/setup.ts +git commit -m "feat(ext/setup): zxcvbn strength meter + score>=3 gate (audit H3)" +``` + +### Task 26: Restore popup settings view + smoke build + +**Files:** +- Modify: `extension/src/popup/components/settings.ts` (remove `@ts-nocheck` if present; align to `DeviceSettings`) + +- [ ] **Step 1: Update the settings view to use DeviceSettings type** + +Open `extension/src/popup/components/settings.ts` and replace references to `RelicarioSettings` with `DeviceSettings`. Keep the message types the same (`get_settings`, `update_settings`, `get_blacklist`, `remove_blacklist`). + +- [ ] **Step 2: Build both bundles** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build 2>&1 | tail -10 +bun run build:firefox 2>&1 | tail -10 +bun run test 2>&1 | tail -20 +``` + +Expected: all three succeed. + +- [ ] **Step 3: Commit** + +```bash +cd /home/alee/Sources/relicario +git add extension/src/popup/components/settings.ts +git commit -m "refactor(ext/popup): settings view on DeviceSettings type" +``` + +### Task 27: Firefox manual verification + +**Files:** no code changes. + +- [ ] **Step 1: Build both bundles** + +```bash +cd /home/alee/Sources/relicario/extension +bun run build:all +``` + +- [ ] **Step 2: Load Chrome build** + +1. Open `chrome://extensions`. +2. Enable Developer mode. +3. Click "Load unpacked" → `extension/dist/`. +4. Verify extension appears in toolbar. + +- [ ] **Step 3: Load Firefox build** + +1. Open `about:debugging#/runtime/this-firefox`. +2. Click "Load Temporary Add-on…". +3. Select `extension/dist-firefox/manifest.json`. +4. Verify extension appears in toolbar. + +- [ ] **Step 4: Walk the 11-step manual matrix on both browsers** + +See spec §5.4. Take notes on any anomaly. This is a long-form checklist; don't commit anything yet — the next task gathers fixes. + +--- + +## Slice 7 — Final acceptance + +### Task 28: Run all acceptance checks + +**Files:** no code changes. + +- [ ] **Step 1: Rust workspace regression** + +```bash +cd /home/alee/Sources/relicario +cargo test --workspace 2>&1 | tail -10 +``` + +Expected: all tests pass (was 151 at plan-1b-cli-wasm-complete; may be a few more or fewer if anything shifted). + +- [ ] **Step 2: WASM target builds** + +```bash +cargo build -p relicario-wasm --target wasm32-unknown-unknown 2>&1 | tail -10 +``` + +Expected: clean build. + +- [ ] **Step 3: Extension builds + router tests** + +```bash +cd extension +bun run build:all 2>&1 | tail -10 +bun run test 2>&1 | tail -30 +``` + +Expected: all green. + +- [ ] **Step 4: Lint greps** + +```bash +cd /home/alee/Sources/relicario +git grep -n 'innerHTML\|insertAdjacentHTML' extension/src/content/ && echo "FAIL: content uses raw HTML" || echo "PASS" +git grep -n 'idfoto' extension/ && echo "FAIL: idfoto references remain" || echo "PASS" +``` + +Expected: both say `PASS`. + +- [ ] **Step 5: WAR check** + +```bash +cat extension/manifest.json | grep -A2 web_accessible_resources +cat extension/manifest.firefox.json | grep -A2 web_accessible_resources +``` + +Expected: either missing or an empty `[]`. + +- [ ] **Step 6: Mark the branch complete** + +```bash +git tag plan-1c-alpha-complete +``` + +No commit needed. The tag marks the acceptance point for executors/reviewers. + +--- + +## Self-review (writing-plans housekeeping) + +Spec coverage check: +- WASM artifact rebuild — Task 1-3 +- Shared types v2 — Task 4 +- Messages split — Task 5 +- base32 utility — Task 6 +- Session handle — Task 7 +- Vault rewrite — Task 8 +- Transitional SW index — Task 9 +- Router split — Tasks 11-13 +- Collapse index onto router — Task 14 +- Vitest + router tests — Task 15 +- WAR cleanup — Task 16 +- Setup via chrome.tabs.create — Task 17 +- Shadow DOM capture — Task 18 +- Shadow DOM icon + picker + ack hint — Task 19 +- Popup captured-tab — Task 20 +- Popup component rename — Task 21 +- Login list/detail/form — Tasks 22-24 +- zxcvbn setup gate — Task 25 +- Settings view cleanup — Task 26 +- Firefox verification — Task 27 +- Final acceptance — Task 28 + +Known gaps (intentional — all deferred per spec): +- Per-type forms beyond Login → 1C-β +- Sections + custom fields → 1C-β +- Full VaultSettings UI → 1C-β +- Attachments → 1C-γ +- Trash view / history view → 1C-γ +- Device management UI → 1C-γ