Commit Graph

758 Commits

Author SHA1 Message Date
adlee-was-taken
8b97ebc01a Merge remote-tracking branch 'origin/main' into feature/v0.9.0-dev-c-org-write 2026-06-27 11:04:23 -04:00
adlee-was-taken
7932703bc1 docs(status): keyfile track complete (D+minors+E merged); org track in progress (A I1-fix gated, B building+config-add, C held)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
2026-06-27 11:04:09 -04:00
adlee-was-taken
2ff5e5b584 merge: feature/v0.9.0-dev-e-keyfile-ext (v0.9.0 Dev-E keyfile extension + positioning) 2026-06-26 22:57:45 -04:00
adlee-was-taken
7a6cfb5659 test(ext/sw): cover handleUnlock keyfile error paths (forward-compat guard, invalid_key_file, key-file-not-set) 2026-06-26 22:51:10 -04:00
adlee-was-taken
98861218f9 docs(formats): pin KdfParams citation to crypto.rs:180 (line shifted post-merge) 2026-06-26 22:48:03 -04:00
adlee-was-taken
df3aa319e7 Merge remote-tracking branch 'origin/main' into feature/v0.9.0-dev-e-keyfile-ext 2026-06-26 22:33:45 -04:00
adlee-was-taken
73877bad78 docs: pin keyfile.rs/second_factor citations; state the second factor is never pushed to the remote 2026-06-26 22:24:57 -04:00
adlee-was-taken
201bf05adc feat(ext/setup+sw): attach via key file when the vault uses one (probe second_factor, .relkey picker, handleAttachVault keyfile branch)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014THSV6cA4Gxa7bxFfisHBB
2026-06-26 22:19:41 -04:00
adlee-was-taken
2f7a034a1b feat(ext/setup): download the generated .relkey at finish + skip carrier gate in keyfile mode
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014THSV6cA4Gxa7bxFfisHBB
2026-06-26 22:07:14 -04:00
adlee-was-taken
d3f46389e4 feat(ext/sw): unlock resolves second factor from params hint (keyfile branch)
Extract handleUnlock from popup-only.ts handle() switch, add keyfile branch
(keyfile_decode + unlock_with_secret), forward-compat guard for unknown
second_factor values, loadKeyfileBase64 helper, loadSetupState isConfigured
fix for keyfile vaults. Register error copy for three new error codes.
Un-skip Task 4 TDD test — 440/440 green, build clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014THSV6cA4Gxa7bxFfisHBB
2026-06-26 21:59:17 -04:00
adlee-was-taken
2262272b20 merge: fix/v0.9.0-keyfile-minors (v0.9.0 Dev-D keyfile security-review minors) 2026-06-26 21:54:05 -04:00
adlee-was-taken
5cc16ddffb feat(ext/sw): create_vault key-file mode (generate secret, unlock_with_secret, store keyfileBase64)
- Add KEYFILE_PARAMS_JSON const (same KDF params as default + second_factor:"keyfile" hint)
- Generalize registerDeviceAndPersistConfig: takes factorStorage union instead of
  referenceImageBytes Uint8Array; spreads { imageBase64 } or { keyfileBase64 } into
  chrome.storage.local.set so exactly one factor key is present
- Branch handleCreateVault on msg.secondFactor === 'keyfile': skip carrier-image
  guards and embed_image_secret; call unlock_with_secret + keyfile_encode; share
  the file-write / device-registration / session tail with the image path
- Update handleAttachVault call to registerDeviceAndPersistConfig to pass
  { imageBase64: uint8ArrayToBase64(referenceImageBytes) }
- Relax carrierImageBytes to optional in messages.ts create_vault request type
- Skip Task-4 describe block in keyfile-unlock.test.ts (un-skip in Task 4)

TDD: Task-2 test RED → GREEN; Task-4 describe.skipped; full suite 439 passed/1 skipped; build clean

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014THSV6cA4Gxa7bxFfisHBB
2026-06-26 21:49:09 -04:00
adlee-was-taken
b2bed1c50e fix(core): zeroize keyfile_encode output + lock-in tests for backup-keyfile-error and malformed-vs-wrong unlock
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-26 21:45:14 -04:00
adlee-was-taken
6970893713 Merge remote-tracking branch 'origin/main' into feature/v0.9.0-dev-e-keyfile-ext 2026-06-26 21:35:39 -04:00
adlee-was-taken
956ab6886a Merge remote-tracking branch 'origin/main' into feature/v0.9.0-dev-c-org-write 2026-06-26 21:35:17 -04:00
adlee-was-taken
2c5af671d0 docs(coordination): v0.9.0 dev resume prompts after ~21h stall (D merged; A/B/C/E resume)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
2026-06-26 21:29:56 -04:00
adlee-was-taken
d649203335 docs(status): Dev-D keyfile core/cli/wasm merged (588495f); keyfile-minors follow-up tracked
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
2026-06-26 00:45:50 -04:00
adlee-was-taken
588495fd7b merge: feature/v0.9.0-dev-d-keyfile-core (v0.9.0 Dev-D keyfile core/cli/wasm) 2026-06-26 00:39:55 -04:00
adlee-was-taken
13512ed9bf docs: record v0.9.0 org-write spike decision + device-key prereq (PM)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Hc6Rvdz3DxLucqNtPE2iP
2026-06-26 00:39:54 -04:00
adlee-was-taken
22068136dc docs(plan-c): mark Task 2 (universal commitSigned) DONE + security-clean
Universal isomorphic-git receive-pack push path shipped & verified: sshsig.ts +
mem-fs.ts + git-push.ts + commitSigned on GitHost/Gitea/GitHub. Full SW suite
163/163, build:all bundles isomorphic-git into the SW, /security-review clean.
Tasks 3-5 remain HELD on Dev-A + Dev-B merge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-26 00:30:23 -04:00
adlee-was-taken
110f02e4e3 refactor(cli): drop unused param from resolve_second_factor_secret (simplify pass)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-26 00:19:55 -04:00
adlee-was-taken
d942650f9f fix(ext/sw): model isomorphic-git PushResult correctly; test the real push-rejection throw
PushResult has a singular `error: string | null` and a `refs` map — there
is no top-level `errors: string[]`. Replace the fabricated type and the
`errors`-based rejection guard with a correct PushResultRuntime type and a
belt-and-suspenders refsOk check. The real rejection path is a thrown
GitPushError (isomorphic-git throws, never returns, when a hook declines);
replace the single fiction-testing test with (a) a throw-path test that mocks
push to reject with a GitPushError and (b) a defensive non-throwing test that
mocks push to resolve { ok: false, error: 'unpack failed' }.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-26 00:19:34 -04:00
adlee-was-taken
2203d817ec fix(cli): resolve second factor via shared helper for recovery-qr + backup (key-file parity); wasm equivalence negative control
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-26 00:11:50 -04:00
adlee-was-taken
56dec78f44 feat(ext/sw): universal commitSigned — isomorphic-git receive-pack push + SSHSIG
Add CommitFile/CommitSigner types + commitSigned to GitHost interface.
Implement git-push.ts (clone→add→commit({onSign=SSHSIG})→push over http/web)
and wire GiteaHost.commitSigned / GitHubHost.commitSigned. Tests: 7/7 incl.
golden-vector tie against the sshsig.test.ts byte-exact vector.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-26 00:08:09 -04:00
adlee-was-taken
0bc1f53b48 feat(ext/sw): mem-fs — dep-free in-memory fs for isomorphic-git org pushes 2026-06-25 23:51:00 -04:00
adlee-was-taken
23c8bbea65 test(cli): assert .relkey never enters git tree + init failure-path coverage + display polish
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 23:43:31 -04:00
adlee-was-taken
273fe5cf30 fix(ext/sw): sshsig hashes the exact payload view; hoist TextEncoder 2026-06-25 23:40:16 -04:00
adlee-was-taken
b3db292474 feat(ext/sw): sshsig — SSHSIG framing over sign_for_git for git-valid commit signatures 2026-06-25 23:33:42 -04:00
adlee-was-taken
2daa3502e9 feat(cli): init --key-file generates a .relkey second factor
Add `--key-file <path>` to `relicario init` as a mutually exclusive
alternative to `--image`/`--output`. When given, a 32-byte secret is
generated with OsRng, armored via `keyfile_encode`, written to the
supplied path (gitignored, never committed), and `params.json` records
`"second_factor": "keyfile"`. The `--image` arg is now Option<PathBuf>;
existing image-vault callers are unchanged. `ParamsFile::for_new_vault`
now takes the second-factor variant as an explicit argument.

Tests: un-ignore init_keyfile_then_unlock_keyfile_round_trips (full
round-trip), strengthen its assertion to check for distinctive username
"octocat", and add init_keyfile_writes_relkey_and_keyfile_params
(armor, params parse, gitignore). Full workspace green (0 failures),
clippy clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 23:32:41 -04:00
adlee-was-taken
c6abcf8da7 docs(plan-c): re-scope to universal isomorphic-git receive-pack push
Mini-spike (isomorphic-git) proved the universal write path end-to-end with no
live creds: Tier 1 commit({onSign}) embeds our SSHSIG -> git verify-commit +
verify-org-commit both PASS; Tier 2 push over git-receive-pack to a bare repo
running the real org pre-receive hook ACCEPTS a member-signed commit and
REJECTS a non-member one.

- Spike doc: + Addendum recording the isomorphic-git Tier 1/2 results + Task 2
  implications (in-memory fs only, http/web, onAuth Basic, no new WASM export).
- Plan doc: architecture re-scoped (Gitea has no write Git Data API at any
  version -> single universal receive-pack path for both hosts); Task 1 marked
  DONE/GO; Task 2 rewritten as the universal commitSigned; Dev-A OrgManifest
  contract + Tasks 3-5 HELD-on-A/B recorded.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-25 23:22:41 -04:00
adlee-was-taken
e8f6635188 feat(cli): unlock resolves second factor from params hint (image|keyfile)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 21:37:59 -04:00
adlee-was-taken
c79ff1caf5 scaffold(ext): create_vault secondFactor request field + relkeyBytes response (held types) 2026-06-25 21:35:34 -04:00
adlee-was-taken
9e19949880 docs: fix ParamsFile citation (cli/session.rs:117, not core/crypto.rs) + README scope header 2026-06-25 21:28:10 -04:00
adlee-was-taken
6cb12990ec feat(wasm): unlock_with_secret + keyfile encode/decode bindings + equivalence proof
Adds three WASM bindings for the pluggable second-factor work:
- unlock_with_secret: mirrors unlock() but accepts a raw 32-byte secret
  instead of a carrier image, skipping imgsecret::extract
- keyfile_encode: armors a 32-byte secret into relicario-keyfile-v1 format
- keyfile_decode: decodes keyfile armor back to the raw 32-byte secret

Adds native equivalence test proving that unlock_with_secret and unlock
derive an identical Argon2id master key when given the same secret,
passphrase, salt, and KDF params. Comparison is direct (master-key bytes),
not cross-decrypt, so the test is both native-safe and unambiguous.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 21:24:10 -04:00
adlee-was-taken
1591fc7825 docs: re-lead positioning on the two-factor-KDF thesis; document the key-file second factor
README: open with the two-independent-secrets-into-KDF thesis; reframe the
second factor as pluggable (reference image or key file); keep the stego
deep-dive as a distinctive option; update all scenario tables, recovery section,
env-var hint, and roadmap line to use "second-factor secret" language.

docs/CRYPTO.md: add "Pluggable second-factor containers" subsection explaining
that the 32-byte input to Argon2id is identical regardless of container;
reference-image / key-file / recovery-QR are interchangeable carriers.
Update org-vs-personal comparison table and entropy labels.

docs/FORMATS.md: document the .relkey armor format (relicario-keyfile-v1 +
base64 line) and the params.json second_factor field ("image"|"keyfile",
absent means "image" for back-compat). Cite crates/relicario-core/src/keyfile.rs
keyfile_encode/keyfile_decode with TODO-pin comments. Update KDF input formula
from image_secret to second_factor_secret.

DESIGN.md: split secrets-map "Reference image bytes" row to distinguish image
and key-file containers; add key-file row noting keyfileBase64 in
chrome.storage.local has the same in-the-clear posture as imageBase64.
Update vault-layout note and KDF conventions row.

docs/SECURITY.md: add "Second-factor storage posture" subsection explicitly
stating .relkey and keyfileBase64 are the second factor in the clear — same
posture as the reference JPEG / imageBase64, not weaker, protected by the
passphrase invariant. Add RELICARIO_KEYFILE to the env-var trust surface table.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014THSV6cA4Gxa7bxFfisHBB
2026-06-25 21:24:06 -04:00
adlee-was-taken
eabc93bd84 fix(core): zeroize keyfile decode intermediate + clearer errors + error-arm tests 2026-06-25 21:15:11 -04:00
adlee-was-taken
3b7099c6f4 feat(core): key-file armor (relicario-keyfile-v1) encode/decode
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 21:09:40 -04:00
adlee-was-taken
a25f8e8a30 feat(ext/setup): second-factor container choice (image | key file) 2026-06-25 21:06:58 -04:00
adlee-was-taken
426b82a7d2 spike(org-write): GO — SW-built SSHSIG commit passes the org hook; transport is host-specific
Task 1 GO/NO-GO for v0.9.0 Plan C (org write). Proven locally end-to-end: a
commit signed with ONLY the raw sign_for_git primitive + manual SSHSIG framing
(no new WASM export) passes both `git verify-commit` and `relicario-server
verify-org-commit`, incl. item+manifest dual-write to a granted collection with
full path authz. Hook matches on the signing-KEY fingerprint -> members[].
ed25519_pubkey; committer/author text is free-form (not checked).

Transport diverges by host:
- GitHub: Git Data API `POST /git/commits` has a `signature` field, inserted
  verbatim into gpgsig -> LIKELY-GO (1 live round-trip to confirm SSHSIG, not
  just PGP, is stored byte-for-byte).
- Gitea: `/git` API is GET-only on live 1.25.5 (no create-commit) -> REST
  NO-GO. Viable path is a `git-receive-pack` smart-HTTP packfile push
  (endpoint reachable, 401 Basic-auth) = bigger Task 2 than planned.

Also flags a pre-existing latent bug: gitea.ts putBlob calls nonexistent
Gitea /git write endpoints. Scope decision (GitHub-only vs build the Gitea
packfile pusher vs defer write) raised to PM.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-25 21:05:03 -04:00
adlee-was-taken
b08b388d5d feat(core+cli): SecondFactor hint on ParamsFile (default image, back-compat)
Add SecondFactor enum (Image | Keyfile, serde lowercase) to relicario-core::crypto,
re-export from lib.rs alongside KdfParams.  Add #[serde(default)] second_factor field
to ParamsFile in relicario-cli::session so existing params.json files (no field) still
parse as Image.  for_new_vault() initialises the field to Image.  No unlock logic
changed; that is deferred to Task 4.  TDD: tests written RED first, then GREEN.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
2026-06-25 21:02:13 -04:00
adlee-was-taken
79284979c1 docs(coordination): v0.9.0 multi-agent kickoff prompts (PM + 5 devs)
Generate the kickoff prompts for the v0.9.0 lift — two independent tracks
sharing the tag, each internally sequenced:

  org track:      dev-a (SW+WASM foundation) -> dev-b (read UI) -> dev-c (write)
  keyfile track:  dev-d (core/cli/wasm)      -> dev-e (extension + positioning)

- PM prompt encodes start-order gating (A+D start now; C runs its GO/NO-GO
  signed-commit spike now; B holds for A; E holds for D; C-writes hold for A+B),
  the Gitea git-merge mechanism (gh is unusable here — merge via git --no-ff),
  per-stream judgment calls, and the pre-tag checklist incl. the release.js
  version-check caveat (relicario-server's independent 0.1.x line).
- Each dev prompt: worktree setup, force-cd subagent rule, relay polling cadence,
  scope/out-of-scope partition, hard rules, final tests, push (no gh pr create).
- v0.9.0-launch.sh: relay health-check + tmux session (pm + dev-a..dev-e).

Relay already supports dev-a..dev-f (no queue.ts/server.ts change needed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 20:39:57 -04:00
adlee-was-taken
5a5cf04b8f release: v0.8.2 — extension vault-creation fix (binary transport)
Extension-only patch: fixes vault create/attach in the browser extension, where
chrome.runtime.sendMessage silently dropped ArrayBuffer payloads (carrier JPEG →
0 bytes → opaque "no SOF marker found in JPEG"). See CHANGELOG for the full set.

- Version bumps: extension 0.7.0→0.8.2 (it had no changes in 0.8.0/0.8.1);
  relicario-core/-cli/-wasm 0.8.1→0.8.2 for unified-tag consistency. The Rust
  core/CLI are functionally unchanged from v0.8.1. relicario-server stays 0.1.1
  (independent version line; no functional change).
- CHANGELOG.md: v0.8.2 section. STATUS.md / ROADMAP.md: v0.8.2 landed, v0.9.0
  flagged as ready to kick off.

Verify: cargo build/test/clippy -D warnings all green (35 test binaries);
extension 435/435 vitest, build:all clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
v0.8.2
2026-06-25 20:26:36 -04:00
adlee-was-taken
d5dd550d4d fix(build): clippy 1.93.0 compliance
clippy 1.93.0 added/tightened several lints that broke `cargo clippy -D warnings`
(the release gate). All behavior-preserving:

- unnecessary_map_or: `signer_parent.map_or(false, |r| …)` → `is_some_and`
  (relicario-server/src/main.rs).
- needless_question_mark: drop redundant `Ok(… ?)` wrappers around
  `serde_json::from_str(…).context(…)` in org_session.rs load_meta/load_members/
  load_collections.
- print_literal: inline the trailing "FLAG" header literal in `org audit`.
- items_after_test_module: move `configure_git_signing` above the
  `seed_helper_tests` module in device.rs so the test module is last.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 20:26:26 -04:00
adlee-was-taken
938174b194 merge: fix/v0.8.2-extension-vault-creation — binary-safe transport + carrier guard + drawer/lock layout
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:48 -04:00
adlee-was-taken
20a25cebd9 fix(extension): drawer + lock-screen layout (center list, full-width lock)
- Closed vault drawer now negates its 440px via margin-right so it reserves no
  layout space — the list pane and its empty state center in the full
  post-sidebar width instead of being shifted left by the off-screen drawer.
- .vault-lock-screen gets flex:1 so the locked vault tab grows to full viewport
  width instead of collapsing to content width and pinning to the left.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:37 -04:00
adlee-was-taken
56adb68935 fix(extension): binary-safe message transport + carrier-image guard
chrome.runtime.sendMessage serializes with a JSON-like algorithm that drops
ArrayBuffer/TypedArray payloads — they arrive as empty objects, so a carrier
JPEG reached the service worker as 0 bytes and failed with the opaque WASM
error "no SOF marker found in JPEG". This broke extension vault creation.

- shared/message-binary.ts: encodeBinary/decodeBinary deep-walk a message tree
  and base64-envelope every binary buffer so it survives the channel (chunked
  base64 to avoid stack overflow on multi-MB buffers); plain number[] untouched.
- Wire encode/decode at all four message boundaries: popup, service-worker
  onMessage listener (decode request, encode response), setup swSend, vault
  postToServiceWorker.
- handleCreateVault: magic-byte guard classifies empty / non-JPEG carriers into
  actionable errors (carrier_image_empty / carrier_image_not_jpeg) instead of
  the opaque WASM error; error-copy.ts adds user-facing text; setup errors now
  route through lookupErrorCopy.
- router SETUP_ALLOWED: add create_vault / attach_vault / generate_recovery_qr —
  the Phase-3 setup wizard sends these from the setup page and they were being
  rejected as unauthorized_sender.
- Tests: message-binary round-trip suite (7) + carrier-guard (2) + setup
  allowlist (3). 435/435 vitest, build:all clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:37 -04:00
adlee-was-taken
74cee8ac67 docs(plans): v0.9.0 implementation plans — 5 streams across 2 specs
Full-TDD per-stream plans for the v0.9.0 multi-agent train:
- org-a-foundation (A0+A1): WASM org_unwrap_key + multi-context SW session +
  org config + grant-filtered manifest read.
- org-b-read-ui (A2): org switcher + grant-filtered browse/read + offline banner.
- org-c-write (A3): GO/NO-GO signing spike first, then commitSigned + org write
  handlers + UI. Spike-gated; NO-GO ships read-only.
- keyfile-core-cli (B1+B2): core armor + unlock_with_secret + params hint +
  WASM bindings + CLI init/unlock --key-file.
- keyfile-ext-positioning (B3+B4): setup container choice + unlock + the
  README/DESIGN/CRYPTO/FORMATS positioning pivot.

Cross-plan contracts pinned and self-reviewed for consistency.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-21 09:35:44 -04:00
adlee-was-taken
9b38aac188 docs(specs): v0.9.0 design — extension org GUI + pluggable second factor
Product audit (product-expert skill) recommended two priority items; this
lands the audit record plus the two approved design specs that will drive
the v0.9.0 multi-agent train.

- reviews/2026-06-20-product-audit.md — the roadmap audit (reality check,
  recommendations, PM brief) that drove the two items.
- specs/2026-06-20-extension-org-gui-design.md — bring the org vault to the
  extension at read+write parity. Org write is gated on a Day-1 signing
  spike (the org hook rejects unsigned commits; the extension pushes
  unsigned today; sign_for_git exists in WASM but is unused). Spike-fail
  degrades to read-only + write follow-up.
- specs/2026-06-20-pluggable-second-factor-design.md — key file as an
  alternative second factor (same 32-byte secret, same KDF; crypto-light),
  chosen at setup via a non-secret params hint, plus the positioning pivot.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 23:01:53 -04:00
adlee-was-taken
c3044ed5af feat(skills): add product-expert roadmap-audit + spec-review strategist
A standalone, self-triggering skill that acts as Relicario's product
strategist: audits the roadmap and reviews freshly-brainstormed release
specs for product/market fit, emitting PM-ready relay directive blocks.
Advisory only — the user stays the decision-maker.

- Two modes: roadmap audit (default) and spec review (verdict:
  PROCEED / RESCOPE / CUT / PIVOT).
- Four-lens engine run as parallel subagents: ground-truth (verify
  claims vs code/git, distinguishing an in-flight lift from real drift),
  jobs-to-be-done, market/competitive, and strategy synthesis.
- Fast by default; `deep` adds live competitive web research.
- Durable by design: lenses read living docs (README/ROADMAP/STATUS/
  CHANGELOG/specs) at runtime, so new surfaces/segments/features are
  picked up automatically. The one static asset, competitive-landscape.md,
  carries a last-reviewed date + freshness protocol.
- Wires a post-brainstorm product gate into CLAUDE.md's Planning section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 22:30:48 -04:00
adlee-was-taken
59ebc28e7e docs(user): fix getting-started blockers (add git prereq + git clone command) + clarify sync remote setup 2026-06-20 22:30:07 -04:00