Merge remote-tracking branch 'origin/main' into feature/v0.9.0-dev-c-org-write
This commit is contained in:
@@ -4,7 +4,7 @@
|
||||
|
||||
**Goal:** Give the extension service worker the data layer to switch into an org vault, unwrap the org master key into a Zeroizing WASM handle, and serve a grant-filtered org manifest — no UI.
|
||||
|
||||
**Architecture:** Org reuses the existing key-agnostic WASM session registry (`relicario-wasm/src/session.rs`) and the existing `item_decrypt`/`manifest_decrypt` AEAD (org items share the personal `.enc` format, org key used directly). The only new WASM function is `org_unwrap_key`. In the SW, a new multi-context session replaces the single-handle model, and a new `org-vault.ts` module mirrors `vault.ts` for org reads. Plans 2 (read UI) and 3 (write) consume the SW message contract this plan produces — they never touch WASM.
|
||||
**Architecture:** Org reuses the existing key-agnostic WASM session registry (`relicario-wasm/src/session.rs`). Org ITEMS share the personal `.enc` format and reuse `item_decrypt`/`item_encrypt` on the org handle directly. The org MANIFEST is a dedicated `OrgManifest` type (NOT the personal `Manifest`) — it uses `org_manifest_decrypt`/`org_manifest_encrypt` (Task 2, mirroring `manifest_decrypt`/`manifest_encrypt` in pattern but wrapping core's dedicated org manifest AEAD). New WASM functions: `org_unwrap_key` (Task 1) + `org_manifest_decrypt`/`org_manifest_encrypt` (Task 2). In the SW, a new multi-context session replaces the single-handle model, and a new `org-vault.ts` module mirrors `vault.ts` for org reads. Plans 2 (read UI) and 3 (write) consume the SW message contract this plan produces — they never touch WASM.
|
||||
|
||||
**Tech Stack:** Rust (relicario-core/wasm), wasm-bindgen, TypeScript (extension service worker), vitest + happy-dom.
|
||||
|
||||
@@ -21,8 +21,8 @@
|
||||
|
||||
## File Structure
|
||||
|
||||
- `crates/relicario-wasm/src/lib.rs` — add `#[wasm_bindgen] org_unwrap_key`. (Reuses `session::insert`; reuses existing `manifest_decrypt`/`item_decrypt`/`item_encrypt`/`manifest_encrypt` on the returned handle.)
|
||||
- `crates/relicario-core/src/manifest.rs` — ensure a `ManifestEntry` carries an optional `collection: Option<String>` so the org manifest round-trips through the existing manifest (de)serialization. (Verify first; only add if absent.)
|
||||
- `crates/relicario-wasm/src/lib.rs` — add `#[wasm_bindgen] org_unwrap_key` (Task 1) + `org_manifest_decrypt`/`org_manifest_encrypt` (Task 2). Org items reuse `item_decrypt`/`item_encrypt` on the returned handle. Org manifest uses the dedicated `org_manifest_decrypt`/`org_manifest_encrypt` (NOT `manifest_decrypt`/`manifest_encrypt` — the org manifest is a different type `OrgManifest`).
|
||||
- ~~`crates/relicario-core/src/manifest.rs`~~ — NOT modified. The org manifest is a dedicated `OrgManifest` type, not the personal `Manifest`. Core already ships its AEAD wrappers. No change to `ManifestEntry` was needed or made.
|
||||
- `extension/src/wasm.d.ts` — declare `org_unwrap_key`.
|
||||
- `extension/src/service-worker/session.ts` — replace single-handle model with a context map (personal + orgs); zero ALL on lock/expiry.
|
||||
- `extension/src/service-worker/org-config.ts` *(new)* — `orgConfigs` read/write over `chrome.storage.local`.
|
||||
@@ -44,7 +44,7 @@
|
||||
|
||||
**Interfaces:**
|
||||
- Consumes: `relicario_core::org::unwrap_org_key(wrapped: &[u8], ed25519_seed: &Zeroizing<[u8;32]>) -> Result<Zeroizing<[u8;32]>>` (`crates/relicario-core/src/org.rs:299`); `session::insert(master_key, image_secret) -> u32` (`crates/relicario-wasm/src/session.rs`).
|
||||
- Produces: `org_unwrap_key(keys_blob: &[u8], device_private_key_base64: &str) -> Result<SessionHandle, JsError>`. The returned handle is an ordinary `SessionHandle` — callers use the existing `item_decrypt`/`item_encrypt`/`manifest_decrypt`/`manifest_encrypt` with it.
|
||||
- Produces: `org_unwrap_key(keys_blob: &[u8]) -> Result<SessionHandle, JsError>` (reads `DEVICE_STATE` internally — no private-key param crosses JS). The returned handle is an ordinary `SessionHandle` — callers use the existing `item_decrypt`/`item_encrypt`/`manifest_decrypt`/`manifest_encrypt` with it.
|
||||
|
||||
- [ ] **Step 1: Confirm the device-key form.** Read how `device_private_key` is produced — `crates/relicario-wasm/src/lib.rs` `register_device`/`generate_device_keypair` and `crates/relicario-core/src/device.rs`. Determine whether `private_key_base64` is the raw 32-byte ed25519 seed or an OpenSSH blob, and write `org_unwrap_key` to decode it to the 32-byte seed `Zeroizing<[u8;32]>` that `unwrap_org_key` expects. Note the finding in a code comment.
|
||||
|
||||
@@ -120,55 +120,42 @@ git commit -m "feat(wasm): org_unwrap_key — ECIES unwrap into a session handle
|
||||
|
||||
---
|
||||
|
||||
### Task 2: Org manifest `collection` field round-trips
|
||||
### Task 2: Org manifest over WASM + faithful OrgManifest/OrgManifestEntry TS mirror
|
||||
|
||||
> **Re-scoped after investigation.** The original Task 2 ("add collection to the personal
|
||||
> ManifestEntry") was based on a wrong assumption and was rejected. Investigation confirmed
|
||||
> that the org manifest is a DEDICATED type (`OrgManifest`/`OrgManifestEntry`), NOT the
|
||||
> personal `Manifest`. Core already ships `encrypt_org_manifest`/`decrypt_org_manifest`
|
||||
> AEAD wrappers (`crates/relicario-core/src/vault.rs:56,62`, re-exported at crate root).
|
||||
> Adding `collection` to the personal `ManifestEntry` would be wrong and was not done.
|
||||
> The PM ratified this re-scope (Option A). This task exposes the existing core wrappers
|
||||
> over WASM and mirrors the org manifest types into TS.
|
||||
|
||||
**Files:**
|
||||
- Modify: `crates/relicario-core/src/manifest.rs`
|
||||
- Modify: `extension/src/shared/types.ts`
|
||||
- Test: `crates/relicario-core/tests/format_v2.rs` (or the manifest test module)
|
||||
- Modify: `crates/relicario-wasm/src/lib.rs` — add `org_manifest_decrypt` + `org_manifest_encrypt` after `org_unwrap_key`; add round-trip test in `org_tests`.
|
||||
- Modify: `extension/src/wasm.d.ts` — declare both new functions.
|
||||
- Modify: `extension/src/shared/types.ts` — add `OrgManifestEntry` + `OrgManifest` interfaces (faithful/lean; no personal-only fields).
|
||||
|
||||
**Interfaces:**
|
||||
- Produces: `ManifestEntry.collection: Option<String>` (serde `skip_serializing_if = "Option::is_none"`), mirrored in TS as `collection?: string`.
|
||||
- Produces: `org_manifest_decrypt(handle: &SessionHandle, encrypted: &[u8]) -> Result<JsValue, JsError>` — mirrors `manifest_decrypt`; org items remain personal Items.
|
||||
- Produces: `org_manifest_encrypt(handle: &SessionHandle, manifest_json: &str) -> Result<Vec<u8>, JsError>` — mirrors `manifest_encrypt`.
|
||||
- Produces: `OrgManifestEntry` TS interface: `{id, type, title, tags[], modified, trashed_at?, collection}`. `collection` is REQUIRED. No personal-only fields (no attachment_summaries/icon_hint/favorite/group).
|
||||
- Produces: `OrgManifest` TS interface: `{schema_version, entries: OrgManifestEntry[]}`.
|
||||
- Core import path confirmed: `relicario_core::decrypt_org_manifest` / `relicario_core::encrypt_org_manifest` / `relicario_core::OrgManifest` — all re-exported at crate root (`lib.rs:81-83`, `lib.rs:99`).
|
||||
|
||||
- [ ] **Step 1: Check current state.** Grep `crates/relicario-core/src/manifest.rs` for `collection`. If the org manifest already round-trips (org CLI works, so it likely uses a dedicated type or already has the field), this task is a no-op verification — confirm with a test and skip to commit. If `ManifestEntry` lacks `collection`, proceed.
|
||||
- [x] **Step 1 (TDD RED):** Added test `org_manifest_round_trip_via_handle` in `org_tests` before implementing the fns. Confirmed compile error: `cannot find function 'org_manifest_encrypt' in this scope`.
|
||||
|
||||
- [ ] **Step 2: Write the failing test**
|
||||
- [x] **Step 2 (Implement):** Added `org_manifest_decrypt` + `org_manifest_encrypt` in `lib.rs` right after `org_unwrap_key`, mirroring the existing `manifest_decrypt`/`manifest_encrypt` pattern exactly. Same `need_key(handle)?` guard, same `session::with`, same `js_value_for(&out)`. Swapped type + core fn.
|
||||
|
||||
```rust
|
||||
#[test]
|
||||
fn manifest_entry_round_trips_collection_slug() {
|
||||
let json = r#"{"id":"a1","title":"db","collection":"prod-infra","modified":1}"#;
|
||||
let entry: ManifestEntry = serde_json::from_str(json).unwrap();
|
||||
assert_eq!(entry.collection.as_deref(), Some("prod-infra"));
|
||||
let back = serde_json::to_string(&entry).unwrap();
|
||||
assert!(back.contains("prod-infra"));
|
||||
}
|
||||
```
|
||||
- [x] **Step 3 (TDD GREEN):** `cargo test -p relicario-wasm org_manifest` → 1 passed.
|
||||
|
||||
- [ ] **Step 3: Run to verify it fails**
|
||||
- [x] **Step 4 (TS types):** Added `OrgManifestEntry` + `OrgManifest` to `extension/src/shared/types.ts` (faithful/lean). Added `org_manifest_decrypt`/`org_manifest_encrypt` declarations to `extension/src/wasm.d.ts`.
|
||||
|
||||
Run: `cargo test -p relicario-core manifest_entry_round_trips_collection_slug`
|
||||
Expected: FAIL (unknown field or missing accessor) — or PASS immediately if the field already exists (then this task is verification-only).
|
||||
|
||||
- [ ] **Step 4: Add the field if absent**
|
||||
|
||||
```rust
|
||||
#[serde(skip_serializing_if = "Option::is_none", default)]
|
||||
pub collection: Option<String>,
|
||||
```
|
||||
|
||||
- [ ] **Step 5: Run to verify it passes**
|
||||
|
||||
Run: `cargo test -p relicario-core manifest`
|
||||
Expected: PASS, no other manifest test regressed.
|
||||
|
||||
- [ ] **Step 6: Mirror in TS + commit**
|
||||
|
||||
Add `collection?: string;` to the `ManifestEntry` interface in `extension/src/shared/types.ts`.
|
||||
- [x] **Step 5 (gates):** All five gates green (see commit).
|
||||
|
||||
```bash
|
||||
git add crates/relicario-core/src/manifest.rs extension/src/shared/types.ts
|
||||
git commit -m "feat(core): ManifestEntry carries optional collection slug"
|
||||
git add crates/relicario-wasm/src/lib.rs extension/src/wasm.d.ts extension/src/shared/types.ts
|
||||
git commit -m "feat(wasm,ext): org_manifest_decrypt/encrypt over WASM + faithful OrgManifest TS mirror"
|
||||
```
|
||||
|
||||
---
|
||||
@@ -336,7 +323,7 @@ git commit -m "feat(ext/sw): org config storage + org_list_configs message"
|
||||
- Test: `extension/src/service-worker/__tests__/org-vault.test.ts`
|
||||
|
||||
**Interfaces:**
|
||||
- Consumes: `createGitHost` (`service-worker/git-host.ts`); `org_unwrap_key` (Task 1); device key from `chrome.storage.local.device_private_key`; `wasm.manifest_decrypt` (existing).
|
||||
- Consumes: `createGitHost` (`service-worker/git-host.ts`); `org_unwrap_key` (Task 1); device key from `DEVICE_STATE` via `w.get_device_info()`; `wasm.org_manifest_decrypt_filtered` (Task 5a).
|
||||
- Produces: `openOrg(cfg: OrgConfig): Promise<OrgHandleState>` where `OrgHandleState = { handle: SessionHandle; grants: string[]; offline: boolean }`; `listOrgItems(state): ManifestEntry[]` (filtered to `grants`); `getOrgItem(state, id): Promise<Item>`; `listOrgCollections(state): Collection[]`.
|
||||
|
||||
- [ ] **Step 1: Write the failing test** (mock the GitHost + wasm boundary as `router.test.ts` does)
|
||||
@@ -420,7 +407,7 @@ git commit -m "feat(ext/sw): org-vault — unwrap, fetch, grant-filter manifest"
|
||||
- Test: `extension/src/service-worker/__tests__/org-vault.test.ts`
|
||||
|
||||
**Interfaces:**
|
||||
- Produces SW messages: `org_switch {context}` → `{ ok, data: { context, offline } }`; `org_list_items` → `{ ok, data: ManifestEntry[] }`; `org_get_item {id}` → `{ ok, data: Item }`; `org_list_collections` → `{ ok, data: Collection[] }`. On a git network error during switch, set `offline: true` and serve the last-cached manifest read-only.
|
||||
- Produces SW messages: `org_switch {context}` → `{ ok, data: { context, offline } }`; `org_list_items` → `{ ok, data: OrgManifestEntry[] }`; `org_get_item {id}` → `{ ok, data: Item }`; `org_list_collections` → `{ ok, data: Collection[] }`. On a git network error during switch, set `offline: true` and serve the last-cached manifest read-only.
|
||||
|
||||
- [ ] **Step 1: Write the failing test**
|
||||
|
||||
@@ -460,8 +447,8 @@ Plans 2 and 3 are UI-only and talk to the SW exclusively through these messages
|
||||
|
||||
- `org_list_configs` → `{ ok, data: OrgConfigSummary[] }` where `OrgConfigSummary = { orgId, displayName }`
|
||||
- `org_switch { context: 'personal' | <orgId> }` → `{ ok, data: { context, offline: boolean } }`
|
||||
- `org_list_items` → `{ ok, data: ManifestEntry[] }` (already grant-filtered; entries carry `collection`)
|
||||
- `org_get_item { id }` → `{ ok, data: Item }`
|
||||
- `org_list_items` → `{ ok, data: OrgManifestEntry[] }` (already grant-filtered; `collection` required — entries are the lean org shape, NOT personal ManifestEntry)
|
||||
- `org_get_item { id }` → `{ ok, data: Item }` (org items are personal `Item`s encrypted with the org key; `item_decrypt` is unchanged)
|
||||
- `org_list_collections` → `{ ok, data: Collection[] }` where `Collection = { slug, display_name }`
|
||||
|
||||
The SW holds the org context after `org_switch`; subsequent `org_list_items`/`org_get_item` operate on the current context until the next `org_switch` (including back to `'personal'`). Plan 3 adds `org_add_item`/`org_update_item`/`org_delete_item` against this same context model.
|
||||
|
||||
Reference in New Issue
Block a user