relicario

alee/relicario

Fork 0

Commit Graph

Author	SHA1	Message	Date
adlee-was-taken	b655024320	docs(plan,spec): apply re-verification fixes (5 high + 5 med + 6 low) Re-verification gate cleared all original criticals; these close the residual defects the reassembly leaked back in: HIGH: - H-D1: add ssh-key dep to relicario-wasm; two-step PrivateKey::from; drop false note - H-D2: org_open_with_registered_device unwraps inside WASM (DEVICE_STATE seed, session-only); device private key never crosses to JS - H-D3: extension grant-filters the org manifest (members.json → member grants → filter_for_member) to honor the spec parity promise - H-C1: hook diffs {commit}^:members.json, rejects owner/admin escalation unless signer is Owner; adds signed-commit hook test - H-B4: reorder B4 tests to "org init --dir <path>" (subcommand-scoped global) MEDIUM: trash=item-delete + item-restore vocabulary reconciled; real transfer-ownership (demote caller unless --keep-owner); delete-org local-only caveat in spec; pinned RFC8032 X25519 KAT. LOW: org init honors RELICARIO_ORG_DIR; D3 VaultEntry type pinned; static_secrets in File Map/Tech Stack; --format <table\|json>; hook slug-in-collections check; spec-mandated integration tests (TAMPERED, audit JSON, rotate race, remove→rotate decrypt-denial). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-19 19:54:04 -04:00
adlee-was-taken	8c19e3cfda	docs(plan): rewrite org-vault plan per review — 25 tasks, 4 streams Corrects every critical/high finding from the adversarial review and adds the two scope expansions (full item CRUD + extension parity): - Device-key helpers built on the real devices/<name>/signing.{key,pub} layout + ssh-key CLI dep (was: invented ~/.config/relicario/device.key) - Signature-verifying pre-receive hook on every commit + path-scoped write authz via items/<slug>/<id>.enc (was: bare %GF, unenforceable flat items) - Org item CRUD (add/get/list/edit/rm/restore/purge), collection-scoped - Audit attributed to verified signer + TAMPERED flag (was: spoofable trailers) - rotate-key re-encrypts every item blob (was: manifest only) - Zeroize KDF intermediates; fix ssh_key::PrivateKey::from test helpers - Owner-only role-gating; fingerprint-based member matching; %x1e/%x1f audit parser framing; signed org commits via org_git_run - Extension stream (WASM bindings + SW org session + switcher + 3 vitest tests) - Stream-prefixed task IDs (A/B/C/D) with explicit cross-stream deps - Living-docs task Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-19 19:22:09 -04:00
adlee-was-taken	2543ed30f6	docs(plan): enterprise org vault implementation plan Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-06 21:22:15 -04:00

Author

SHA1

Message

Date

adlee-was-taken

b655024320

docs(plan,spec): apply re-verification fixes (5 high + 5 med + 6 low)

Re-verification gate cleared all original criticals; these close the residual
defects the reassembly leaked back in:

HIGH:
- H-D1: add ssh-key dep to relicario-wasm; two-step PrivateKey::from; drop false note
- H-D2: org_open_with_registered_device unwraps inside WASM (DEVICE_STATE seed,
  session-only); device private key never crosses to JS
- H-D3: extension grant-filters the org manifest (members.json → member grants →
  filter_for_member) to honor the spec parity promise
- H-C1: hook diffs {commit}^:members.json, rejects owner/admin escalation unless
  signer is Owner; adds signed-commit hook test
- H-B4: reorder B4 tests to "org init --dir <path>" (subcommand-scoped global)

MEDIUM: trash=item-delete + item-restore vocabulary reconciled; real
transfer-ownership (demote caller unless --keep-owner); delete-org local-only
caveat in spec; pinned RFC8032 X25519 KAT.

LOW: org init honors RELICARIO_ORG_DIR; D3 VaultEntry type pinned; static_secrets
in File Map/Tech Stack; --format <table|json>; hook slug-in-collections check;
spec-mandated integration tests (TAMPERED, audit JSON, rotate race, remove→rotate
decrypt-denial).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-19 19:54:04 -04:00

adlee-was-taken

8c19e3cfda

docs(plan): rewrite org-vault plan per review — 25 tasks, 4 streams

Corrects every critical/high finding from the adversarial review and adds the
two scope expansions (full item CRUD + extension parity):

- Device-key helpers built on the real devices/<name>/signing.{key,pub} layout
  + ssh-key CLI dep (was: invented ~/.config/relicario/device.key)
- Signature-verifying pre-receive hook on every commit + path-scoped write
  authz via items/<slug>/<id>.enc (was: bare %GF, unenforceable flat items)
- Org item CRUD (add/get/list/edit/rm/restore/purge), collection-scoped
- Audit attributed to verified signer + TAMPERED flag (was: spoofable trailers)
- rotate-key re-encrypts every item blob (was: manifest only)
- Zeroize KDF intermediates; fix ssh_key::PrivateKey::from test helpers
- Owner-only role-gating; fingerprint-based member matching; %x1e/%x1f audit
  parser framing; signed org commits via org_git_run
- Extension stream (WASM bindings + SW org session + switcher + 3 vitest tests)
- Stream-prefixed task IDs (A/B/C/D) with explicit cross-stream deps
- Living-docs task

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-19 19:22:09 -04:00

adlee-was-taken

2543ed30f6

docs(plan): enterprise org vault implementation plan

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-06 21:22:15 -04:00

3 Commits