Commit Graph

720 Commits

Author SHA1 Message Date
adlee-was-taken
c6abcf8da7 docs(plan-c): re-scope to universal isomorphic-git receive-pack push
Mini-spike (isomorphic-git) proved the universal write path end-to-end with no
live creds: Tier 1 commit({onSign}) embeds our SSHSIG -> git verify-commit +
verify-org-commit both PASS; Tier 2 push over git-receive-pack to a bare repo
running the real org pre-receive hook ACCEPTS a member-signed commit and
REJECTS a non-member one.

- Spike doc: + Addendum recording the isomorphic-git Tier 1/2 results + Task 2
  implications (in-memory fs only, http/web, onAuth Basic, no new WASM export).
- Plan doc: architecture re-scoped (Gitea has no write Git Data API at any
  version -> single universal receive-pack path for both hosts); Task 1 marked
  DONE/GO; Task 2 rewritten as the universal commitSigned; Dev-A OrgManifest
  contract + Tasks 3-5 HELD-on-A/B recorded.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-25 23:22:41 -04:00
adlee-was-taken
426b82a7d2 spike(org-write): GO — SW-built SSHSIG commit passes the org hook; transport is host-specific
Task 1 GO/NO-GO for v0.9.0 Plan C (org write). Proven locally end-to-end: a
commit signed with ONLY the raw sign_for_git primitive + manual SSHSIG framing
(no new WASM export) passes both `git verify-commit` and `relicario-server
verify-org-commit`, incl. item+manifest dual-write to a granted collection with
full path authz. Hook matches on the signing-KEY fingerprint -> members[].
ed25519_pubkey; committer/author text is free-form (not checked).

Transport diverges by host:
- GitHub: Git Data API `POST /git/commits` has a `signature` field, inserted
  verbatim into gpgsig -> LIKELY-GO (1 live round-trip to confirm SSHSIG, not
  just PGP, is stored byte-for-byte).
- Gitea: `/git` API is GET-only on live 1.25.5 (no create-commit) -> REST
  NO-GO. Viable path is a `git-receive-pack` smart-HTTP packfile push
  (endpoint reachable, 401 Basic-auth) = bigger Task 2 than planned.

Also flags a pre-existing latent bug: gitea.ts putBlob calls nonexistent
Gitea /git write endpoints. Scope decision (GitHub-only vs build the Gitea
packfile pusher vs defer write) raised to PM.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LKBbrAjmpVXMEK15pNi3Ha
2026-06-25 21:05:03 -04:00
adlee-was-taken
79284979c1 docs(coordination): v0.9.0 multi-agent kickoff prompts (PM + 5 devs)
Generate the kickoff prompts for the v0.9.0 lift — two independent tracks
sharing the tag, each internally sequenced:

  org track:      dev-a (SW+WASM foundation) -> dev-b (read UI) -> dev-c (write)
  keyfile track:  dev-d (core/cli/wasm)      -> dev-e (extension + positioning)

- PM prompt encodes start-order gating (A+D start now; C runs its GO/NO-GO
  signed-commit spike now; B holds for A; E holds for D; C-writes hold for A+B),
  the Gitea git-merge mechanism (gh is unusable here — merge via git --no-ff),
  per-stream judgment calls, and the pre-tag checklist incl. the release.js
  version-check caveat (relicario-server's independent 0.1.x line).
- Each dev prompt: worktree setup, force-cd subagent rule, relay polling cadence,
  scope/out-of-scope partition, hard rules, final tests, push (no gh pr create).
- v0.9.0-launch.sh: relay health-check + tmux session (pm + dev-a..dev-e).

Relay already supports dev-a..dev-f (no queue.ts/server.ts change needed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 20:39:57 -04:00
adlee-was-taken
5a5cf04b8f release: v0.8.2 — extension vault-creation fix (binary transport)
Extension-only patch: fixes vault create/attach in the browser extension, where
chrome.runtime.sendMessage silently dropped ArrayBuffer payloads (carrier JPEG →
0 bytes → opaque "no SOF marker found in JPEG"). See CHANGELOG for the full set.

- Version bumps: extension 0.7.0→0.8.2 (it had no changes in 0.8.0/0.8.1);
  relicario-core/-cli/-wasm 0.8.1→0.8.2 for unified-tag consistency. The Rust
  core/CLI are functionally unchanged from v0.8.1. relicario-server stays 0.1.1
  (independent version line; no functional change).
- CHANGELOG.md: v0.8.2 section. STATUS.md / ROADMAP.md: v0.8.2 landed, v0.9.0
  flagged as ready to kick off.

Verify: cargo build/test/clippy -D warnings all green (35 test binaries);
extension 435/435 vitest, build:all clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
v0.8.2
2026-06-25 20:26:36 -04:00
adlee-was-taken
d5dd550d4d fix(build): clippy 1.93.0 compliance
clippy 1.93.0 added/tightened several lints that broke `cargo clippy -D warnings`
(the release gate). All behavior-preserving:

- unnecessary_map_or: `signer_parent.map_or(false, |r| …)` → `is_some_and`
  (relicario-server/src/main.rs).
- needless_question_mark: drop redundant `Ok(… ?)` wrappers around
  `serde_json::from_str(…).context(…)` in org_session.rs load_meta/load_members/
  load_collections.
- print_literal: inline the trailing "FLAG" header literal in `org audit`.
- items_after_test_module: move `configure_git_signing` above the
  `seed_helper_tests` module in device.rs so the test module is last.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 20:26:26 -04:00
adlee-was-taken
938174b194 merge: fix/v0.8.2-extension-vault-creation — binary-safe transport + carrier guard + drawer/lock layout
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:48 -04:00
adlee-was-taken
20a25cebd9 fix(extension): drawer + lock-screen layout (center list, full-width lock)
- Closed vault drawer now negates its 440px via margin-right so it reserves no
  layout space — the list pane and its empty state center in the full
  post-sidebar width instead of being shifted left by the off-screen drawer.
- .vault-lock-screen gets flex:1 so the locked vault tab grows to full viewport
  width instead of collapsing to content width and pinning to the left.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:37 -04:00
adlee-was-taken
56adb68935 fix(extension): binary-safe message transport + carrier-image guard
chrome.runtime.sendMessage serializes with a JSON-like algorithm that drops
ArrayBuffer/TypedArray payloads — they arrive as empty objects, so a carrier
JPEG reached the service worker as 0 bytes and failed with the opaque WASM
error "no SOF marker found in JPEG". This broke extension vault creation.

- shared/message-binary.ts: encodeBinary/decodeBinary deep-walk a message tree
  and base64-envelope every binary buffer so it survives the channel (chunked
  base64 to avoid stack overflow on multi-MB buffers); plain number[] untouched.
- Wire encode/decode at all four message boundaries: popup, service-worker
  onMessage listener (decode request, encode response), setup swSend, vault
  postToServiceWorker.
- handleCreateVault: magic-byte guard classifies empty / non-JPEG carriers into
  actionable errors (carrier_image_empty / carrier_image_not_jpeg) instead of
  the opaque WASM error; error-copy.ts adds user-facing text; setup errors now
  route through lookupErrorCopy.
- router SETUP_ALLOWED: add create_vault / attach_vault / generate_recovery_qr —
  the Phase-3 setup wizard sends these from the setup page and they were being
  rejected as unauthorized_sender.
- Tests: message-binary round-trip suite (7) + carrier-guard (2) + setup
  allowlist (3). 435/435 vitest, build:all clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pe8qw5KePDqAEBsAxnVQuJ
2026-06-25 18:38:37 -04:00
adlee-was-taken
74cee8ac67 docs(plans): v0.9.0 implementation plans — 5 streams across 2 specs
Full-TDD per-stream plans for the v0.9.0 multi-agent train:
- org-a-foundation (A0+A1): WASM org_unwrap_key + multi-context SW session +
  org config + grant-filtered manifest read.
- org-b-read-ui (A2): org switcher + grant-filtered browse/read + offline banner.
- org-c-write (A3): GO/NO-GO signing spike first, then commitSigned + org write
  handlers + UI. Spike-gated; NO-GO ships read-only.
- keyfile-core-cli (B1+B2): core armor + unlock_with_secret + params hint +
  WASM bindings + CLI init/unlock --key-file.
- keyfile-ext-positioning (B3+B4): setup container choice + unlock + the
  README/DESIGN/CRYPTO/FORMATS positioning pivot.

Cross-plan contracts pinned and self-reviewed for consistency.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-21 09:35:44 -04:00
adlee-was-taken
9b38aac188 docs(specs): v0.9.0 design — extension org GUI + pluggable second factor
Product audit (product-expert skill) recommended two priority items; this
lands the audit record plus the two approved design specs that will drive
the v0.9.0 multi-agent train.

- reviews/2026-06-20-product-audit.md — the roadmap audit (reality check,
  recommendations, PM brief) that drove the two items.
- specs/2026-06-20-extension-org-gui-design.md — bring the org vault to the
  extension at read+write parity. Org write is gated on a Day-1 signing
  spike (the org hook rejects unsigned commits; the extension pushes
  unsigned today; sign_for_git exists in WASM but is unused). Spike-fail
  degrades to read-only + write follow-up.
- specs/2026-06-20-pluggable-second-factor-design.md — key file as an
  alternative second factor (same 32-byte secret, same KDF; crypto-light),
  chosen at setup via a non-secret params hint, plus the positioning pivot.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 23:01:53 -04:00
adlee-was-taken
c3044ed5af feat(skills): add product-expert roadmap-audit + spec-review strategist
A standalone, self-triggering skill that acts as Relicario's product
strategist: audits the roadmap and reviews freshly-brainstormed release
specs for product/market fit, emitting PM-ready relay directive blocks.
Advisory only — the user stays the decision-maker.

- Two modes: roadmap audit (default) and spec review (verdict:
  PROCEED / RESCOPE / CUT / PIVOT).
- Four-lens engine run as parallel subagents: ground-truth (verify
  claims vs code/git, distinguishing an in-flight lift from real drift),
  jobs-to-be-done, market/competitive, and strategy synthesis.
- Fast by default; `deep` adds live competitive web research.
- Durable by design: lenses read living docs (README/ROADMAP/STATUS/
  CHANGELOG/specs) at runtime, so new surfaces/segments/features are
  picked up automatically. The one static asset, competitive-landscape.md,
  carries a last-reviewed date + freshness protocol.
- Wires a post-brainstorm product gate into CLAUDE.md's Planning section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 22:30:48 -04:00
adlee-was-taken
59ebc28e7e docs(user): fix getting-started blockers (add git prereq + git clone command) + clarify sync remote setup 2026-06-20 22:30:07 -04:00
adlee-was-taken
df488a3d7c merge: feature/user-docs (v0.8.1 fast-follow) — 12-page end-user guide 2026-06-20 22:27:57 -04:00
adlee-was-taken
2fa4d6824c release: v0.8.1 — org item-type parity + collection-scoped attachments v0.8.1 2026-06-20 22:24:22 -04:00
adlee-was-taken
783e3493f0 merge: feature/extension-cli-parity-gap-analysis (v0.8.1) — extension<->CLI parity gap analysis (forward plan referenced by STATUS/ROADMAP) 2026-06-20 22:21:05 -04:00
adlee-was-taken
4cca9b465c merge: feature/v0.8.1-status-roadmap (v0.8.1 wrap-up) — mark org item-type parity + attachments shipped; reference parity-gap analysis 2026-06-20 22:14:36 -04:00
adlee-was-taken
5be3043ab5 merge: feature/v0.8.1-cleanup-item-build (v0.8.1 wrap-up) — shared encrypt_document_file helper (F1 DRY + F2 zeroize plaintext) 2026-06-20 22:07:38 -04:00
adlee-was-taken
cf89bf8ca4 merge: feature/v0.8.1-cli-arch-doc (v0.8.1 wrap-up) — document org item-type parity + attachment storage in cli ARCHITECTURE 2026-06-20 22:02:13 -04:00
adlee-was-taken
a91ceea0ed refactor(cli): shared encrypt_document_file helper (DRY org/personal Document build; zeroize source plaintext) 2026-06-20 22:02:07 -04:00
adlee-was-taken
415d8ed9ef docs(cli): document v0.8.1 org item-type parity surface in ARCHITECTURE.md
- org.rs bullet: full Card/Key/Document/Totp org add/edit parity via the
  shared item_build builders + edit helpers; interactive per-type edit;
  --*-stdin secret convention; purge removes attachments. Replaces the stale
  'Login/SecureNote/Identity only' + flag-driven-edit + deferred text.
- org_session.rs bullet: collection-scoped attachment storage (attachment_path/
  save/load/remove + DEFAULT_ORG_ATTACHMENT_MAX_BYTES).
- main.rs bullet: OrgCommands + OrgAddKind clap surface.

Source-line citations pinned per the code-constant-pinning discipline.
2026-06-20 22:00:29 -04:00
adlee-was-taken
d0f757b66d docs(user): org item-type parity shipped — flip concepts + faq org sections
All four v0.8.1 streams merged (main 4c0a289): org add now supports all 7 item
types (card/key/totp/document) and org edit is interactive. Flip the two
high-level org sections from "coming" to shipped, grounded in the real merged
`relicario org add <type> --collection …` surface; remove the rebase TODO markers.
2026-06-20 21:59:54 -04:00
adlee-was-taken
b54aaea239 docs(status): v0.8.1 org item-type parity landed — update STATUS + ROADMAP
Mark v0.8.1 shipped (all four streams merged on 4c0a289, verified against
source): org add/edit parity for all 7 item types (Card/Key/Totp + Document),
collection-scoped attachment storage, and the grant-scoped attachment-write
pre-receive hook. Move org item-type parity from deferred to shipped; relabel
the org-vault row as v0.8.0; reference the new extension-cli parity gap analysis
as the forward plan for deferred extension org read/write. Scope: STATUS.md +
ROADMAP.md only (CHANGELOG + version bumps owned by PM).
2026-06-20 21:59:47 -04:00
adlee-was-taken
2ea98f3aba merge: origin/main (4c0a289) into user-docs — org item-type parity shipped 2026-06-20 21:57:18 -04:00
adlee-was-taken
4c0a289acb merge: feature/v0.8.1-dev-c-document-attachments (v0.8.1 Dev-C) — org Document + collection-scoped attachment storage + edit/purge 2026-06-20 21:53:21 -04:00
adlee-was-taken
03559f81ea test(cli/org): org document add/edit/purge round-trips + attachment staging + grant denial 2026-06-20 21:35:24 -04:00
adlee-was-taken
fe8eeb97c9 fix(cli/org): reject --file on non-Document org edit (fail fast) 2026-06-20 21:28:52 -04:00
adlee-was-taken
8ec616be5d feat(cli/org): org document edit via --file + purge removes attachments 2026-06-20 21:23:46 -04:00
adlee-was-taken
bd323d8b1b feat(cli/org): org add document with collection-scoped attachment 2026-06-20 21:13:26 -04:00
adlee-was-taken
db0ab1d82e docs(formats): org collection-scoped attachment layout + default cap
Document the attachments/<slug>/<item-id>/<att-id>.enc layout (exactly 3
segments, slug-authorized by the pre-receive hook, never decrypted
server-side) and DEFAULT_ORG_ATTACHMENT_MAX_BYTES = 10 MiB, citing
org_session.rs:24 and the mirrored personal default settings.rs:116.
2026-06-20 21:08:23 -04:00
adlee-was-taken
68c6da4d67 chore(cli/org): silence dead_code on not-yet-consumed attachment API 2026-06-20 21:08:23 -04:00
adlee-was-taken
bccd113f55 feat(cli/org): collection-scoped attachment storage + default cap 2026-06-20 21:08:23 -04:00
adlee-was-taken
3ab1320f42 docs(user): add user_docs/ end-user guide (12 pages)
A friendly, task-oriented guide for non-technical users: README index,
getting-started, concepts, items, passwords-and-generators, totp,
attachments-and-documents, organizing, sync-and-backup, the-browser-extension,
recovery, faq. Every command/flag derived from the actual CLI surface
(`relicario --help` tree) and real extension behavior — no invented flags.
Org item-type parity is covered high-level pending the v0.8.1 B/C merge
(two TODO markers left for the rebase).
2026-06-20 21:08:00 -04:00
adlee-was-taken
6e73c5e6a1 merge: feature/v0.8.1-dev-b-card-key-totp (v0.8.1 Dev-B) — org add/edit parity for Card/Key/Totp via shared item_build + interactive org edit 2026-06-20 21:07:22 -04:00
adlee-was-taken
c5b1917eb0 docs(spec): extension<->CLI parity gap analysis — matrix, gap classification, prioritized work list
Forward-planning survey (not v0.8.1 scope). Two independent sweeps (PM 3-agent +
Dev-D 4-reader workflow with adversarial critic), reconciled and hand-verified
against source at b09e0ce. Headline: core item-CRUD at full parity (extension
often ahead); genuine extension gaps cluster in metadata management (group/tag/
filter editing limited to specific forms, zero favorites UI), backend-exists-no-
wire items (remove_attachment, per-item purge, isInTab attachment gate), autofill
hostname matching, and the org vault (largest, already specced/deferred).
2026-06-20 21:00:43 -04:00
adlee-was-taken
e76d7167d6 test(cli/org): grant enforcement + body/secret-stdin + key-edit coverage
Closes the minor coverage gaps from the final adversarial review:
- org add card/key/totp reject ungranted + unknown collections (pins the
  grant gate on the new write paths, which runs before any secret prompt)
- secure-note --body-stdin masks body; totp --secret-stdin round-trips
  (completes the --*-stdin matrix for the org surface)
- key-material edit accept-branch round-trip, verified via get --show
2026-06-20 20:58:26 -04:00
adlee-was-taken
04ad98973a test(cli/org): adapt grant-denial edit case to interactive org edit
B3 dropped the flat --username/--url/... flags from `org edit`, so the
ungranted-member denial test must drive the bare interactive form. The
ungranted member is now rejected at manifest lookup (filter_for_member +
resolve_org_query) before any prompt is read.
2026-06-20 20:49:12 -04:00
adlee-was-taken
290bc4e2d0 feat(cli/org): interactive per-type org edit via shared edit helpers 2026-06-20 20:43:03 -04:00
adlee-was-taken
82feb49ab4 feat(cli/org): org add parity for Card/Key/Totp via shared builders 2026-06-20 18:31:29 -04:00
adlee-was-taken
07862b8d44 test(cli/org): failing Card/Key/Totp org add round-trips (B4, pre-A-integration)
Adds run_stdin + create_collection_and_grant fixture helpers and three
acceptance tests for org add card/key/totp. Red until B1/B2 wire the
subcommands (currently: unrecognized subcommand). Asserts org get masks
card number + key material without --show. Edit round-trips land with B3.
2026-06-20 18:26:11 -04:00
adlee-was-taken
b09e0ce036 merge: feature/v0.8.1-dev-a-foundation (v0.8.1 Dev-A) — shared item_build module + personal add/edit refactor + --*-stdin flags 2026-06-20 18:24:04 -04:00
adlee-was-taken
d8b23d421e refactor(cli): tidy item_build edit helpers (simplify pass)
- edit_secure_note / edit_key now call the module's resolve_secret_multiline
  instead of open-coding the eprintln-hint + read-to-EOF pattern (the helper
  exists precisely to centralize this; build_secure_note/build_key already use it).
- drop redundant fn-local imports: `use zeroize::Zeroizing;` from the five edit_*
  helpers and the re-imported `TotpAlgorithm` from edit_login/build_login
  (all covered by module-level imports; leftover from the verbatim A2/A3 move).
- build_login passes the password_stdin flag through to resolve_secret_line for
  consistency with build_card/build_totp (behavior identical — that branch is
  only reached when password_stdin is true).
- restore #[allow(clippy::too_many_arguments)] on build_totp (8 args; the old
  build_totp_item carried the same allow — signature is frozen for B/C).
2026-06-20 18:14:10 -04:00
adlee-was-taken
6eb1275710 feat(cli): --*-stdin secret flags for personal add (non-interactive secrets) 2026-06-20 17:56:45 -04:00
adlee-was-taken
751e4e9bb1 chore(cli): remove now-dead prompt/prompt_optional helpers
A3 routed personal `add` through the shared item_build builders, which use
prompt_secret / resolve_secret_*; the generic single-line prompt() and
prompt_optional() lost their last callers. read_required_line /
read_optional_line stay (used by prompt_or_flag*).
2026-06-20 17:40:52 -04:00
adlee-was-taken
db4e05a193 merge: feature/v0.8.1-dev-d-server-hook (v0.8.1 Dev-D) — grant-scope org attachment write paths in pre-receive hook 2026-06-20 17:38:27 -04:00
adlee-was-taken
65e23cfddc refactor(cli): personal add delegates to shared item_build builders 2026-06-20 17:35:18 -04:00
adlee-was-taken
d32af594e4 feat(server): grant-scope org attachment write paths in pre-receive hook 2026-06-20 17:30:49 -04:00
adlee-was-taken
b83643ee0a refactor(cli): move per-type edit helpers into shared item_build module 2026-06-20 17:27:05 -04:00
adlee-was-taken
154b984725 feat(cli): shared item_build module — secret resolution + type parsers 2026-06-20 17:21:43 -04:00
adlee-was-taken
517d52d517 docs(coordination): v0.8.1 PM + Dev-A/B/C/D kickoff prompts
4-stream manual-pane kickoff (no tmux automation): A foundation, B
Card/Key/Totp, C Document+attachments, D server hook. Each dev prompt
mandates a relay polling cadence (read inbox between every subagent;
HOLD/RESCOPE = interrupt) so PM directives are never missed. Gitea/git
merge mechanism; C<->D attachment-path coordination baked in.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L5JvzEse4xUxLZKhofyeCD
2026-06-20 17:10:26 -04:00
adlee-was-taken
3774047298 chore(salvage): snapshot org-vault tail uncommitted work before worktree cleanup
org_audit.rs (B8 verified-signer test) + the two uncommitted org.rs diffs
(item-CRUD B9-B13, status/audit B8) from the wf_22020aea first-run worktrees.
All superseded by v0.8.0 main; also committed on the -r2 branches. Kept so
nothing is lost when the stale worktrees are removed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L5JvzEse4xUxLZKhofyeCD
2026-06-20 16:58:28 -04:00