Replaces the previously any-typed StateHost contract with a typed interface.
Adds double-registration guard and __resetHostForTests for vitest.
sendMessage wrapper is currently a pass-through; Phase 4 will fill its body
with the vault_locked intercept lifted from vault.ts.
Widens PopupState/View on shared/popup-state.ts to cover vault-tab-only
views (history, backup, import) and vault-tab-only fields (unlocked,
drawerOpen, typePanelOpen) so VaultState satisfies StateHost.getState()
without a cast. The popup surface ignores the new optional fields.
Drops the `any` annotations on vault.ts's registerHost callbacks now that
the typed StateHost contract infers them from PopupState.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Foundation for Plan C Phase 1: shared/state.ts (next task) needs to import
PopupState without creating a popup->shared circular dep. popup.ts now
re-exports from the new location so existing callers don't break in this
task. Task 1.4 will sweep them onto the canonical import path.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
24 tasks across 6 phases derived from the 2026-05-04 extension restructure
spec. Per-task bite-sized steps (TDD where new behavior, verify-existing-
tests where pure relocation) with explicit file/line citations and full
code snippets.
Phase 1 (StateHost typing, S-M, blocks 3+4): 5 tasks
Phase 2 (storage.ts + itemToManifestEntry, S): 3 tasks
Phase 3 (setup wizard SW migration + step registry, L): 7 tasks
Phase 4 (vault.ts split into 5 modules + vault_locked lift, M): 7 tasks
Phase 5 (P2 cluster: timer/gitHost/teardown/allSettled/debounce, M): 5 tasks
Phase 6 (get_vault_status + sidebar status indicator, S-M): 3 tasks
Task 7.1 (final verification sweep against spec Done criteria).
Recommended sequence: 1 → 2 → 5 → 4 → 6 → 3 (independents first, then
the typed-StateHost-dependent phases, then Phase 3 last because it's the
biggest single phase and benefits from all the supporting infra in
place). Max subagent parallelism: 3 streams.
Cross-plan: explicit out-of-scope notes for Plan A (security/docs polish,
already shipped) and Plan B (CLI restructure, already shipped). The
wasm.d.ts file is not touched by this plan (verify empty diff at done).
STATUS + ROADMAP updated to point at the plan.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Post-v0.6.0 spot-check of the three 2026-05-04 architecture-review
specs (per CLAUDE.md rule #4) confirms:
- CLI restructure: shipped as Plan B Cycles 1+2 (b9bd152, 3dd1e1b,
3759f6a, e69b347). Last gap (read-side refresh_groups_cache
callers) closed in d717f0d. Done-criteria all met.
- Security polish: shipped as Stream A Cycle 1 (89090a8) plus
follow-ups for start.sh fourth window (0c9387f) and recovery_qr.rs
docs (229e483). All four phases done.
- Extension restructure: genuinely outstanding. vault.ts is 1037 LOC
(criterion ~200); the five-module split has not happened; setup.ts
still imports relicario-wasm directly; shared/state.ts still has
any-typed StateHost; SW router helpers still duplicated; CLI parity
gap (relicario status) still open. Effort estimate: L.
Removes the incorrect "subcommand reorganization, interactive TUI
mode" descriptor — the original CLI restructure spec is about file
structure, not TUI or renames. The TUI descriptor was a roadmap
mis-paraphrase, not a real outstanding item.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan B Phase 4 wanted "every mutating handler must call
refresh_groups_cache" to be a compile-time invariant, with all
callers funneled through Vault::after_manifest_change. The
mutating-handler sweep happened, but two read-side callsites
(commands/list.rs and commands/get.rs) still called the public
helper directly for opportunistic shell-completion cache freshness.
Closes the gap:
- helpers::refresh_groups_cache demoted from pub to pub(crate).
- list.rs and get.rs drop their explicit calls. Cache freshness
between mutations is unaffected: every mutating handler still
funnels through after_manifest_change. The minor staleness
window (manifest changed externally via git pull, no local
mutation since) is the trade-off the spec accepts in exchange
for the compile-time invariant.
The Plan B done-criterion "grep refresh_groups_cache outside
session.rs returns zero" now passes apart from the function
definition itself, which lives in helpers.rs (the natural place
for a flat utility). The visibility scoping achieves the
architectural intent.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The router migrated from generate_device_keypair → register_device
(returns signing_public_key + deploy_public_key with private keys
staying internal to WASM). Test still mocked the old function under
the old return shape (public_key_hex / private_key_base64), so the
router's state.wasm.register_device() call failed with
"is not a function".
Updates the mock function name, response shape, and assertion to the
current contract. Test intent (treat the WASM return as a JS object,
not a JSON string) is preserved.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Tests were written against the pre-Stream B flat settings page. After
the left-nav restructure (bd6a301) and the management-surfaces revamp,
the Display section's IDs are only in the DOM once the user navigates
there, and renderSettings makes additional sendMessage calls (is_unlocked,
per-section data) that the original mocks didn't cover.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Tests predated the 2026-05-24 management-surfaces revamp (047df6e): popup
devices pane now shows SHA-256 fingerprint + added-by + inline two-step
revoke confirm, and the SW revokeDevice signature may have shifted to
match. Mocks + assertions updated accordingly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three commits landed since the prior sync (72a59c6) that should be
reflected here:
- cccb7d7 rule #4 + doc-structure plan ticks
- 39ae629 vault lock-screen logo
- (this commit)
Moves the doc-structure redesign from "in progress" to "complete"
(Task 5 verified clean), drops the lock-screen logo from in-flight,
and trims Up next to the four genuinely-outstanding items: tag cut,
CLI restructure, extension restructure, security polish.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mirrors the logo-lockup treatment already used in the popup unlock view
(Phase 2B) and the setup wizard. Lock-screen rendering now shows the
relicario-logo.svg above the wordmark instead of just the wordmark.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Rule #4 codifies the discipline that prevents the kind of drift the
2026-05-30 status-audit found: Phase 2B, v0.5.1 Streams A/B/C, and 1C-γ
all stealth-shipped 2-3 weeks earlier with their plan checkboxes never
ticked and STATUS.md still listing them as "Up next".
Two halves to the rule:
- Ship side: ticking the boxes is part of shipping. A commit that lands
plan work also ticks that plan's boxes (or an immediately-following
docs commit does).
- Execute side: before starting an unchecked plan, spot-check git log
for distinctive symbols/files — re-executing already-merged work is
the worst failure mode of the drift.
Also applies the rule retroactively to the doc-structure redesign plan:
all 37 sub-step checkboxes flipped to [x]. Tasks 1-4 (rename, scope
headers + Next: footers, link fixes, CLAUDE.md table) shipped in
36a59cd..bae3f7c. Task 5's six verification steps all pass (Step 3's
grep matches are false positives — they're correct new-path sibling
links from inside docs/ to docs/, not stale old-path uses).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The 2026-05-30 sync commit (fa659eb) only covered the vault-tab
management surfaces revamp. It missed three earlier merges that landed
2026-05-02..05-03 and have been on main since:
- Phase 2B polish foundation + form layout (5da1e52, 2026-05-02)
- v0.5.1 Stream A — 3-column vault layout + bottom sheet + toast +
GLYPH_VAULT_TAB + emoji sweep (c16adc4, 2026-05-03)
- v0.5.1 Stream B — left-nav settings (Autofill / Display / Security /
Generator / Retention / Backup / Import) (bd6a301, 2026-05-03)
- v0.5.1 Stream C — Recovery QR end-to-end (core + WASM + CLI +
settings-security.ts + setup wizard banner) + setup wizard Style C
redesign (934dfe0, 2026-05-03)
Also missing: 1C-γ (attachments + Document type + device registration
+ trash + history), Plan B multi-stream refactor (Cycles 1+2), and
the in-flight doc-structure redesign Tasks 1-4 (commits 36a59cd..bae3f7c
since spec 3209bfb).
STATUS now lists each train with merge SHA, spec/plan pointers, and
per-feature bullets. ROADMAP's "Up next" / "Medium-term" / "Long-term"
sections retrimmed: the only genuinely outstanding work is doc-structure
Task 5 verification, the lock-screen logo, the v0.5.x tag, and the
three 2026-05-04 architecture-review specs (CLI restructure, extension
restructure, security polish — none have plans yet).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Table row labels now reference DESIGN.md / docs/CRYPTO.md /
docs/FORMATS.md. Adds three new discipline rules attacking the
structural causes of the 2026-05-30 drift audit findings:
1. Scope-boundary check — content goes in the doc whose scope
header claims it; if it doesn't fit, move it instead of
stretching the header.
2. Code-constant pinning — docs that cite code constants must
cite source file + line; constant changes update doc and
code in the same commit.
3. New-doc rule — adding a tour doc also requires updating
DESIGN's code-map, the Next: footer chain, and this table.
Spec: docs/superpowers/specs/2026-05-30-doc-structure-redesign-design.md
Rewrites every markdown reference to the old paths:
- ARCHITECTURE.md → DESIGN.md
- docs/ARCHITECTURE.md → docs/CRYPTO.md
- FORMATS.md → docs/FORMATS.md
Touches CLAUDE.md (living-docs table + planning-references list),
per-crate ARCHITECTURE.md cross-refs, and any specs in
docs/superpowers/specs/ that referenced the old paths. Audit
history and test-run logs intentionally left untouched.
Spec: docs/superpowers/specs/2026-05-30-doc-structure-redesign-design.md
Each of the eight tour docs (README, DESIGN, docs/CRYPTO,
docs/FORMATS, docs/SECURITY, crates/relicario-core/ARCHITECTURE,
crates/relicario-cli/ARCHITECTURE, extension/ARCHITECTURE) now
declares its scope in a blockquote under its H1 and ends with a
single-line "Next:" pointer to the next doc in the canonical
reading order: README → DESIGN → CRYPTO → FORMATS → SECURITY →
core → cli → extension.
Also trimmed README's mid-section "Architecture" stub to a one-
paragraph pointer at DESIGN.md (was duplicating cross-codebase
content and referencing a non-existent docs/architecture/ tree).
Renamed docs/CRYPTO.md's H1 from "Relicario — Architecture" to
"Relicario — Crypto Pipeline" to match the file's renamed scope.
Spec: docs/superpowers/specs/2026-05-30-doc-structure-redesign-design.md
Five sequential tasks, one commit each, all mechanical:
1. git mv the three doc files
2. add scope headers + Next: footers to the eight tour docs
(also trim README architecture stub)
3. fix incoming links to old paths
4. update CLAUDE.md table + add 3 discipline rules
5. verification gate
Spec: docs/superpowers/specs/2026-05-30-doc-structure-redesign-design.md
Proposes renaming the three overlapping ARCHITECTURE.md files into
topic-named docs (top-level → DESIGN.md, docs/ARCHITECTURE.md →
docs/CRYPTO.md), moving FORMATS.md into docs/, and adding scope
headers + "Next:" footers to every tour doc so the reading order is
canonical: README → DESIGN → CRYPTO → FORMATS → SECURITY →
per-crate ARCHITECTURE → extension/ARCHITECTURE.
Direct response to the drift audit run earlier today (the audit's
content fixes already landed in 210232d, cf7478d, fa659eb). This
spec attacks the structural causes: name collisions, no scope
boundaries, no reading-order signposts, root/docs/ asymmetry.
Migration is mechanical — 5 sequential commits, no content rewrites:
rename, headers+footers, link-fixes, CLAUDE.md update, verification.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Punch items from doc audit:
- STATUS: "in progress" section was carrying ghost items (vault
container max-width, README name fix) with no matching commits or
working-tree changes; trimmed to the one real in-flight item.
- STATUS + ROADMAP: trash/history/devices/settings management-surfaces
revamp shipped 2026-05-24..05-30 (commits c943a06..88d7228) but was
still listed as "up next" / medium-term; moved to shipped with
per-commit SHAs.
- STATUS: v0.5.0 was described as the current tag, but only v0.2.0 and
four plan-1* tags exist; rephrased as "v0.5.0 train on main, untagged".
- ROADMAP: "Vault lock screen + container polish (in progress)"
collapsed to just the lock-screen logo (the only real in-flight item).
- extension/ARCHITECTURE: module map missing four shipped components —
popup/components/form-header.ts, popup/components/settings-security.ts,
vault/components/backup-panel.ts (#backup route),
vault/components/import-panel.ts (#import route); all added with
matching #backup / #import route entries.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Punch items from doc audit:
- relicario-core: module map missing 5 public modules (backup,
device, import_lastpass, recovery_qr, tar_safe); added with
1-2 sentence descriptions in the existing voice.
- relicario-core: "ed25519-dalek is a dependency placeholder" was
stale — device.rs now consumes it for signing/verify/keypair.
- relicario-cli: Rate (zxcvbn scoring) and RecoveryQr (generate/unwrap)
commands were absent from Key flows; added.
- relicario-cli: "Backup-passphrase-style commands (none yet)" rewritten
— Backup (export/restore .relbak) and Import (lastpass) both shipped.
- relicario-cli: module map refreshed — handlers moved out of main.rs
into commands/, plus prompt.rs/parse.rs/device.rs/gitea.rs surfaced.
Stale main.rs:NNNN line citations on individual flows are not fixed
here — those handlers now live in commands/*.rs and warrant a deeper
pass later.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Punch items from doc audit:
- docs/ARCHITECTURE.md: encrypted file format diagram said version byte
0x01; actual VERSION_BYTE is 0x02 (crypto.rs:59) and 0x01 is rejected
with UnsupportedFormatVersion.
- docs/ARCHITECTURE.md: DCT embedding diagram said "Repeat secret 20+
times" and "positions 4-15"; actual is MIN_COPIES (5) to 50 copies
chosen by capacity, embedded in zig-zag positions 6-17
(imgsecret.rs:78, 99-104, 530-537).
- FORMATS.md: AttachmentId table said 16 hex chars / 8 bytes; actual is
32 hex chars / first 16 bytes of SHA-256 (ids.rs:59-69).
- FORMATS.md: ManifestEntry schema missing r#type field; updated to list
all ten fields in declared order with serde decorations noted
(manifest.rs:21-38).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add four utility classes to both vault.css and popup styles.css for use in
settings/devices/trash/history management surfaces. These provide standardized
styling for section headers, glyph buttons, key-value rows, and fingerprints
that will be used across all revamped panes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
12 tasks covering settings/devices/trash/history pane revamps, plus
groundwork (glyph constants, relative-time util, ssh-fingerprint util,
shared CSS classes) and routing/nav wiring. Tasks are TDD where the
work is testable (utils) and bite-sized manual-smoke where it's UI.
Spec corrections folded in:
- Devices revoke is upgrade (text+confirm → glyph+inline), not greenfield
- Fingerprint via webcrypto in extension, no SW shape change, no WASM
- Routing keeps 'field-history' as internal dispatch key; only user-facing
hash normalizes #field-history → #history for backward compat
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Brainstormed design covering UX revamp of all four in-vault admin
panes (Settings, Devices, Trash, History) to match the fullscreen
visual language. Closes functional gaps along the way: per-device
session-timeout UI, revoke button surfacing, SHA256 fingerprint +
added-by display, per-item purge countdown, and a new history
index pane.
Item history uses option A (aggregate existing field_history per
item) — no new core storage, no schema change. Ships in v0.5.x
inside the current vault.ts shell; Phase 3 shell rearchitecture and
Phase 4 command palette deferred to their own rounds.
Roadmap entry reconciled to point at the spec.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Move docs/architecture/overview.md to ARCHITECTURE.md at the repo root —
it is the primary cross-codebase architecture doc (four-codebase diagram,
inter-codebase contracts, secrets map, build matrix, test strategy, where-to-look
table) and belongs at the root alongside STATUS.md, ROADMAP.md, etc.
Update relative paths inside the file (../../crates/ → crates/, etc.).
Update CHANGELOG.md's one active reference to the old path.
Add a "Living docs — update discipline" table to CLAUDE.md that maps every
ALLCAPS.md file to the area it covers and the trigger for updating it. This
closes the loop on the ALLCAPS.md documentation system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce three new ALLCAPS.md tracking files:
- STATUS.md: living doc of in-flight work and what shipped in v0.5.0
- ROADMAP.md: full roadmap extracted from CLAUDE.md + expanded with all specced work
- FORMATS.md: wire-format quick-reference (.enc blobs, params.json, devices.json, etc.)
Update CLAUDE.md to replace the single-spec "Design spec" section with a
"Planning & design specs" section that instructs checking docs/superpowers/specs/
and docs/superpowers/plans/ before any planning or implementation work.
Also add the rule to update STATUS.md after every dev iteration, and replace
the stale v0.5.0-in-progress roadmap paragraph with references to the new files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds top-level LICENSE (GPL-3.0 full text), updates README, and sets
`license = "GPL-3.0-or-later"` on all four crate manifests.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
clap alias makes both `relicario gen -l 32` and the long-form
`relicario generate -l 32` route to the same handler. The short flags
-l (length) and -w (words) were missing -- the READMEs existing example
`relicario generate -l 32` only actually worked after this commit.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Quick start gains backup export and recovery-qr generate examples so
first-time readers see those features without scrolling.
- New "Recovery: what if I lose my reference image?" section explains the
recovery QR mitigation, domain-separation rationale (b"relicario-recovery-v1\0"
prefix prevents wrap-key/master-key collision under passphrase reuse),
salt+nonce freshness, and recommended offline-storage practice.
- Architecture core file list adds recovery_qr.rs and import_lastpass.rs
(both pre-existing, both were missing from the README list).
- Roadmap marks Recovery QR as shipped, slotted next to Backup & restore.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
4 commits from feature/cli-tail-stream-b-session-manifest:
- 2e41e0b refactor(cli): single canonical ParamsFile in session.rs (Phase 5)
- 7901c27 refactor(cli): Vault::after_manifest_change wrapper (Phase 4)
- 4b657e7 refactor(cli): batched purge in cmd_purge and cmd_trash_empty (Phase 6)
- c4777cc refactor(cli): apply simplify findings (Phases 4-6 polish)
Phase 4 complete: Vault::after_manifest_change wrapper funnels NINE manifest-
mutation sites (not 7 as the spec/notes flagged -- attach.rs add+detach,
import.rs LastPass, and trash.rs cmd_trash_empty all previously SKIPPED
refresh_groups_cache; the wrapper now refreshes them as a side-effect).
save_manifest was DROPPED entirely (rather than just demoted to pub(crate)
as the spec said) -- the simplify pass found no escape hatch was needed,
so the only path to write the manifest now goes through the wrapper.
Stronger than spec.
Phase 5 complete: single pub(crate) struct ParamsFile in session.rs at
module level with Serialize+Deserialize. Constructors for_new_vault and
to_kdf_params (simplify pass changed into_kdf_params(self) to
to_kdf_params(&self) for ergonomics). commands/init.rs uses
ParamsFile::for_new_vault. On-disk JSON schema verified BYTE-STABLE via
fixture-string round-trip test (session::tests::params_file_round_trips_current_layout
+ for_new_vault_produces_expected_shape) -- same fields, same ordering,
same rename_all placement. Existing vaults read with no migration.
Phase 6 complete: purge_item renamed purge_item_filesystem, mutates only
filesystem + manifest, returns Vec<String> of paths. cmd_purge and
cmd_trash_empty both follow after_manifest_change -> git_rm -> git add ->
git commit. New helpers::git_rm extracted to DRY the pattern. Strict
invariant locked: tests/basic_flows.rs::trash_empty_batches_into_one_commit
counts commits via git rev-list --count HEAD before/after and asserts
delta == 1. A 50-item trash empty now fires 3 git invocations, not 52.
Simplify polish (c4777cc): all 5 findings legitimate, none rationale-skipped:
- Dropped redundant save_manifest_raw escape hatch
- Value-vs-self ergonomic fix (to_kdf_params(&self))
- DRY git_rm helper
- TOCTOU pre-check dropped from purge_item_filesystem
- Comment trim
3-way merge with stream-a (3dd1e1b) and stream-c (e69b347) clean: git
auto-resolved commands/add.rs (stream-a prompt_or_flag changes interleaved
with stream-b after_manifest_change call at the manifest-mutation site).
Verified semantic correctness via post-merge cargo test.
Pre-merge checklist on tip c4777cc + post-merge verification:
- cargo test --workspace standalone: 260 tests, 0 failures
- cargo test --workspace post-merge: 281 tests, 0 failures
- cargo clippy --workspace --all-targets -- -D warnings: silent
- cargo build -p relicario-wasm --target wasm32-unknown-unknown: clean
- Independent fresh-subagent code review: APPROVE
- grep refresh_groups_cache crates/relicario-cli/src/: zero matches
outside session.rs/helpers.rs (per spec done-criteria)
- grep struct ParamsFile crates/relicario-cli/src/: ONE match
(per spec done-criteria)
Plan B COMPLETE. With Phase 3 (Stream A) merged at 3dd1e1b and Phases 7+8
(Stream C) merged at e69b347, all eight Plan B phases are now on main.
One nit deferred (per subagent review): trash empty partial-failure
recovery -- if git_rm fails after after_manifest_change succeeds,
manifest.enc is rewritten in-tree and items are removed from disk but
no commit is made. Pre-existing behavior was strictly worse (per-item
interleaved partial-commit risk); current state is a net improvement.
Tree-cleanup-on-failure belongs in a follow-up plan, not this PR.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- session.rs: drop save_manifest_raw — its only caller was
after_manifest_change itself; the pub(crate) advertised the exact
bypass-the-cache-refresh footgun the wrapper exists to eliminate.
Inline the encrypt + atomic_write pair.
- session.rs: into_kdf_params(self) → to_kdf_params(&self). Body just
copies three u32s; the consume-self had no ownership benefit and
forced the round-trip test to rebuild a ParamsFile field-by-field.
- helpers.rs: add git_rm(repo, paths, context) wrapper around git_run
+ the load-bearing --ignore-unmatch flag. Replaces two near-identical
three-line "build rm_args, extend, git_run" blocks in trash.rs.
- trash.rs: purge_item_filesystem drops the if x.exists() pre-checks
(TOCTOU + redundant stat per item per trash-empty iteration). Uses
ErrorKind::NotFound swallow on remove_file/remove_dir_all instead.
- basic_flows.rs: trim trash_empty_batches_into_one_commit's sleep
comment to just the WHY.
3 commits from feature/cli-tail-stream-c-core-wasm-seam:
- e5d63ab refactor(core): extract base32 module, dedupe two RFC 4648 impls
- 03f2a1b refactor(core,cli): migrate CLI parsers to relicario-core, parse.rs becomes shim
- fc9264e feat(wasm): add parse_month_year, base32_decode_lenient, guess_mime exports
Phase 7 complete: parser bodies (MonthYear::parse, mime::guess_for_extension,
TotpConfig::parse_secret) lifted into relicario-core; CLI parse.rs reduced to
19-line thin shims; callsites unchanged. base32 codec deduplicated from two
inline implementations (item.rs encoder + import_lastpass.rs decoder) into
crate::base32::{encode_rfc4648, decode_rfc4648_lenient}. Steam Guards
non-RFC-4648 alphabet stays at item_types/totp.rs:13 with a neighbour
comment cross-referencing the standard module.
Phase 8 complete: 3 #[wasm_bindgen] exports (parse_month_year,
base32_decode_lenient, guess_mime) with snake_case JS names per existing
convention. extension/src/wasm.d.ts mirror landed in the same commit
(fc9264e) per kickoff hard-rule.
Spec deviation (PM ack 02:55Z + 15:13Z): pub(crate) mod base32 promoted to
pub mod base32 because the CLI shim AND the Phase 8 WASM exports both
require external reach. Justification documented in lib.rs module-list
comment + module-level docstring on base32.rs explicitly carving Steam
Guard out as a non-user.
Two new RelicarioError variants added (additive, non-breaking):
- InvalidBase32(String)
- InvalidMonthYear(String)
3-way merge with stream-a (3dd1e1b) clean: stream-c didn't actually modify
add.rs or prompt.rs, so the diff stat showing those files was just stream-c
being behind on stream-a's changes. ort strategy auto-took mains versions.
Pre-merge checklist on tip fc9264e + post-merge verification:
- cargo test --workspace standalone: 272 tests, 0 failures
- cargo test --workspace post-merge: 277 tests, 0 failures (5 added from stream-a)
- cargo clippy --workspace --all-targets: silent (both standalone + post-merge)
- cargo build -p relicario-wasm --target wasm32-unknown-unknown: clean
- Extension vitest: 17 failed / 335 passed -- matches cycle-1 baseline cluster, no new regressions
- Independent fresh-subagent code review: APPROVE-WITH-NITS
- nit 1: stale doc-comment in extension/src/shared/base32.ts:3 (Plan C concern, deferred)
- nit 2: TotpConfig::parse_secret unused on this branch (spec-driven forward-compat for Plan C SW handlers)
Plan B Phases 7+8 complete. With Phase 3 (Stream A) already merged at 3dd1e1b,
only Phases 4+5+6 (Stream B in flight) remain to close out Plan B.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Renames purge_item to purge_item_filesystem — body becomes filesystem-only
(remove item.enc, remove attachments/<id>/, manifest.remove). Returns the
relative paths it removed. cmd_purge and cmd_trash_empty accumulate the
paths and fire ONE git rm + ONE git add + ONE git commit per invocation.
A 50-item trash empty now produces 3 git subprocesses regardless of N
(was N+2). New regression test trash_empty_batches_into_one_commit asserts
the one-commit invariant via git rev-list --count.
Plan B Phase 8 — three #[wasm_bindgen] exports for the parsers migrated
in Phase 7, mirrored in extension/src/wasm.d.ts under "Pure parsers
(no session needed)". snake_case JS naming consistent with every
existing export; SessionHandle not required.
- parse_month_year(s) → { month, year } via js_value_for
- base32_decode_lenient(s) → Uint8Array
- guess_mime(filename) → string
Tests in session_tests mod cover the OK paths; error-path / JsValue
serialization can't be tested natively (JsError construction panics
off-wasm) and is covered in core (time::tests + base32::tests).
Plan C will wire SW message handlers consuming these exports in a
future round; this commit delivers only the seam.
Includes simplify-feedback fixes:
- relicario-core lib.rs module-list mentions base32 and mime
- item_types/totp.rs neighbour comment unified to ///-style block
cargo test --workspace: green
cargo clippy --workspace: silent
cargo build -p relicario-wasm --target wasm32-unknown-unknown: clean
cd extension && npm run test: 17 pre-existing failures only (baseline)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the canonical post-mutation funnel: save_manifest_raw + groups.cache
refresh in one method. Converts nine commands/*.rs mutation callsites from
the manual save_manifest + refresh_groups_cache pair to a single
vault.after_manifest_change(&manifest)?. save_manifest renamed to
save_manifest_raw (pub(crate)) so future commands cannot accidentally
bypass the cache refresh. Four of the nine sites (attach.rs add/detach,
import.rs LastPass, trash.rs cmd_trash_empty's per-item save) previously
skipped the cache refresh — the wrapper fixes them. refresh_groups_cache
moves from main.rs to helpers.rs so the read-side warmup callers in
get.rs/list.rs still reach it.
2 commits from feature/cli-tail-stream-a-prompt-helpers:
- bfec232 feat(cli): add prompt_or_flag<T> + prompt_or_flag_optional<T>
- 8e791e4 refactor(cli): compress build_*_item with prompt_or_flag
Phase 3 complete. Helper signatures match the spec literal; all 7 build_*_item
builders converted (title in each + username and url in build_login_item).
Internal refactor extracts read_required_line / read_optional_line as
generic-over-BufRead helpers so prompt and prompt_optional both delegate to
them, unblocking Cursor-driven tests for the legacy callers.
Honest scope correction (per DEV-A PR description): the spec promised ~30
percent per-type body shrinkage but the actual outcome is 1-line-for-1-line
replacement. The win is intent clarity, not LOC. Worth calibrating Plan B
compression-claim heuristics in future planning.
Subtle behavior delta in build_login_item: the prior
prompt_optional(...).ok().flatten() silently mapped I/O errors to None;
the new prompt_or_flag_optional(...)? propagates them. Ctrl-D mid-prompt now
errors clearly instead of producing a half-empty item -- strictly better.
Pre-merge checklist on tip 8e791e4:
- cargo test --workspace: 261 tests, 0 failures (254 baseline + 7 new)
- cargo clippy --workspace --all-targets: silent
- cargo build -p relicario-wasm --target wasm32-unknown-unknown: clean
- Independent fresh-subagent code review: APPROVE (spec-conformant, well-tested)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan B Phase 3 sub-step 2. Replaces the
title.map(Ok).unwrap_or_else(|| prompt("Title"))? chain in all
seven build_*_item functions with prompt_or_flag, and folds
login's or_else(|| prompt_optional(...).ok().flatten()) for
username and url into prompt_or_flag_optional. prompt_secret
sites and the parse-on-Some-only patterns (expiry, dob, card
kind, totp algorithm) stay as-is per spec. Removes the
#[allow(dead_code)] attributes from the four helpers in
prompt.rs now that callers exist.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
