diff --git a/crates/relicario-cli/src/commands/org.rs b/crates/relicario-cli/src/commands/org.rs index c87448c..3bd4b29 100644 --- a/crates/relicario-cli/src/commands/org.rs +++ b/crates/relicario-cli/src/commands/org.rs @@ -732,7 +732,7 @@ pub fn run_audit( if json { println!("{}", serde_json::to_string_pretty(&events)?); } else { - println!("{:<44} {:<26} {:<20} {:<18} {}", "COMMIT", "TIMESTAMP", "ACTION", "ACTOR", "FLAG"); + println!("{:<44} {:<26} {:<20} {:<18} FLAG", "COMMIT", "TIMESTAMP", "ACTION", "ACTOR"); for ev in &events { println!("{:<44} {:<26} {:<20} {:<18} {}", ev.commit, diff --git a/crates/relicario-cli/src/device.rs b/crates/relicario-cli/src/device.rs index 5db7f1e..e05aaad 100644 --- a/crates/relicario-cli/src/device.rs +++ b/crates/relicario-cli/src/device.rs @@ -169,6 +169,47 @@ pub fn delete_device_keys(name: &str) -> Result<()> { Ok(()) } +/// Configure git in `vault_root` to: +/// - sign commits with the device's signing key (SSH format) +/// - push via SSH using the device's deploy key +pub fn configure_git_signing(vault_root: &std::path::Path, name: &str) -> Result<()> { + let dir = device_dir(name)?; + let signing_key = dir.join("signing.key"); + let deploy_key = dir.join("deploy.key"); + + // gpg.format = ssh so git uses SSH-format signing + crate::helpers::git_command(vault_root, &["config", "gpg.format", "ssh"]) + .status() + .context("git config gpg.format")?; + + // user.signingkey = path to the private key file + crate::helpers::git_command( + vault_root, + &["config", "user.signingkey", &signing_key.to_string_lossy()], + ) + .status() + .context("git config user.signingkey")?; + + // commit.gpgsign = true + crate::helpers::git_command(vault_root, &["config", "commit.gpgsign", "true"]) + .status() + .context("git config commit.gpgsign")?; + + // core.sshCommand — use only the deploy key for push + let ssh_cmd = format!( + "ssh -i {} -o IdentitiesOnly=yes", + deploy_key.display() + ); + crate::helpers::git_command( + vault_root, + &["config", "core.sshCommand", &ssh_cmd], + ) + .status() + .context("git config core.sshCommand")?; + + Ok(()) +} + #[cfg(test)] mod seed_helper_tests { use super::*; @@ -215,44 +256,3 @@ mod seed_helper_tests { } } } - -/// Configure git in `vault_root` to: -/// - sign commits with the device's signing key (SSH format) -/// - push via SSH using the device's deploy key -pub fn configure_git_signing(vault_root: &std::path::Path, name: &str) -> Result<()> { - let dir = device_dir(name)?; - let signing_key = dir.join("signing.key"); - let deploy_key = dir.join("deploy.key"); - - // gpg.format = ssh so git uses SSH-format signing - crate::helpers::git_command(vault_root, &["config", "gpg.format", "ssh"]) - .status() - .context("git config gpg.format")?; - - // user.signingkey = path to the private key file - crate::helpers::git_command( - vault_root, - &["config", "user.signingkey", &signing_key.to_string_lossy()], - ) - .status() - .context("git config user.signingkey")?; - - // commit.gpgsign = true - crate::helpers::git_command(vault_root, &["config", "commit.gpgsign", "true"]) - .status() - .context("git config commit.gpgsign")?; - - // core.sshCommand — use only the deploy key for push - let ssh_cmd = format!( - "ssh -i {} -o IdentitiesOnly=yes", - deploy_key.display() - ); - crate::helpers::git_command( - vault_root, - &["config", "core.sshCommand", &ssh_cmd], - ) - .status() - .context("git config core.sshCommand")?; - - Ok(()) -} diff --git a/crates/relicario-cli/src/org_session.rs b/crates/relicario-cli/src/org_session.rs index f36db6b..91ca2cf 100644 --- a/crates/relicario-cli/src/org_session.rs +++ b/crates/relicario-cli/src/org_session.rs @@ -56,12 +56,12 @@ impl UnlockedOrgVault { #[allow(dead_code)] pub fn load_meta(&self) -> Result { let s = fs::read_to_string(self.org_meta_path()).context("read org.json")?; - Ok(serde_json::from_str(&s).context("parse org.json")?) + serde_json::from_str(&s).context("parse org.json") } pub fn load_members(&self) -> Result { let s = fs::read_to_string(self.members_path()).context("read members.json")?; - Ok(serde_json::from_str(&s).context("parse members.json")?) + serde_json::from_str(&s).context("parse members.json") } pub fn save_members(&self, members: &OrgMembers) -> Result<()> { @@ -71,7 +71,7 @@ impl UnlockedOrgVault { pub fn load_collections(&self) -> Result { let s = fs::read_to_string(self.collections_path()).context("read collections.json")?; - Ok(serde_json::from_str(&s).context("parse collections.json")?) + serde_json::from_str(&s).context("parse collections.json") } pub fn save_collections(&self, collections: &OrgCollections) -> Result<()> { diff --git a/crates/relicario-server/src/main.rs b/crates/relicario-server/src/main.rs index 8d7c40e..c0a03da 100644 --- a/crates/relicario-server/src/main.rs +++ b/crates/relicario-server/src/main.rs @@ -468,7 +468,7 @@ fn enforce_owner_only_elevation( // The signer's authority = their PARENT role. A member absent from the parent // (brand new) has no prior authority and cannot mint owners/admins. let signer_parent = parent_role(signer.member_id.as_str()); - let signer_may_manage_owners = signer_parent.map_or(false, |r| r.can_manage_owners()); + let signer_may_manage_owners = signer_parent.is_some_and(|r| r.can_manage_owners()); for m in &new_members.members { if !is_privileged(m.role) {