3 commits from feature/cli-tail-stream-c-core-wasm-seam:
- e5d63ab refactor(core): extract base32 module, dedupe two RFC 4648 impls
- 03f2a1b refactor(core,cli): migrate CLI parsers to relicario-core, parse.rs becomes shim
- fc9264e feat(wasm): add parse_month_year, base32_decode_lenient, guess_mime exports
Phase 7 complete: parser bodies (MonthYear::parse, mime::guess_for_extension,
TotpConfig::parse_secret) lifted into relicario-core; CLI parse.rs reduced to
19-line thin shims; callsites unchanged. base32 codec deduplicated from two
inline implementations (item.rs encoder + import_lastpass.rs decoder) into
crate::base32::{encode_rfc4648, decode_rfc4648_lenient}. Steam Guards
non-RFC-4648 alphabet stays at item_types/totp.rs:13 with a neighbour
comment cross-referencing the standard module.
Phase 8 complete: 3 #[wasm_bindgen] exports (parse_month_year,
base32_decode_lenient, guess_mime) with snake_case JS names per existing
convention. extension/src/wasm.d.ts mirror landed in the same commit
(fc9264e) per kickoff hard-rule.
Spec deviation (PM ack 02:55Z + 15:13Z): pub(crate) mod base32 promoted to
pub mod base32 because the CLI shim AND the Phase 8 WASM exports both
require external reach. Justification documented in lib.rs module-list
comment + module-level docstring on base32.rs explicitly carving Steam
Guard out as a non-user.
Two new RelicarioError variants added (additive, non-breaking):
- InvalidBase32(String)
- InvalidMonthYear(String)
3-way merge with stream-a (3dd1e1b) clean: stream-c didn't actually modify
add.rs or prompt.rs, so the diff stat showing those files was just stream-c
being behind on stream-a's changes. ort strategy auto-took mains versions.
Pre-merge checklist on tip fc9264e + post-merge verification:
- cargo test --workspace standalone: 272 tests, 0 failures
- cargo test --workspace post-merge: 277 tests, 0 failures (5 added from stream-a)
- cargo clippy --workspace --all-targets: silent (both standalone + post-merge)
- cargo build -p relicario-wasm --target wasm32-unknown-unknown: clean
- Extension vitest: 17 failed / 335 passed -- matches cycle-1 baseline cluster, no new regressions
- Independent fresh-subagent code review: APPROVE-WITH-NITS
- nit 1: stale doc-comment in extension/src/shared/base32.ts:3 (Plan C concern, deferred)
- nit 2: TotpConfig::parse_secret unused on this branch (spec-driven forward-compat for Plan C SW handlers)
Plan B Phases 7+8 complete. With Phase 3 (Stream A) already merged at 3dd1e1b,
only Phases 4+5+6 (Stream B in flight) remain to close out Plan B.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan B Phase 3 sub-step 2. Replaces the
title.map(Ok).unwrap_or_else(|| prompt("Title"))? chain in all
seven build_*_item functions with prompt_or_flag, and folds
login's or_else(|| prompt_optional(...).ok().flatten()) for
username and url into prompt_or_flag_optional. prompt_secret
sites and the parse-on-Some-only patterns (expiry, dob, card
kind, totp algorithm) stay as-is per spec. Removes the
#[allow(dead_code)] attributes from the four helpers in
prompt.rs now that callers exist.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan B Phase 7 sub-step 2 — moves the bodies of parse_month_year,
base32_decode_lenient, guess_mime from crates/relicario-cli/src/parse.rs
to relicario-core. The CLI's parse.rs becomes a 19-line shim re-exporting
the new core API.
New core surface:
- time::MonthYear::parse (Result<_, RelicarioError>)
- mime::guess_for_extension (new mime module)
- item_types::TotpConfig::parse_secret — Zeroizing<Vec<u8>> wrapper
over base32::decode_rfc4648_lenient
base32 module promoted from pub(crate) to pub so non-core consumers
(CLI shim, future Phase 8 WASM exports) can reach it. New
RelicarioError::InvalidMonthYear(String) for the parse error path
(mirrors sub-step 1's InvalidBase32). MonthYear::new keeps its
&'static str error type — bringing it to RelicarioError is DEV-A's P3.
CLI callsites unchanged (commands/{add,edit,attach}.rs); RelicarioError
auto-converts to anyhow::Error at ? boundaries.
cargo test --workspace: green (core 143, +7 from new tests)
cargo clippy --workspace: silent
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan B Phase 3 sub-step 1. The new helpers collapse the
Option<T>::map(Ok).unwrap_or_else(|| prompt(...))? chain that
the seven build_*_item builders repeat. Reader is injectable
via the *_with_reader variants so the unit tests can drive
both the flag-value and prompt paths from a Cursor without
needing a TTY. prompt and prompt_optional are refactored to
delegate to two private read_*_line helpers; semantics are
unchanged. dead_code is allowed on the four new helpers
until sub-step 2 wires them into commands/add.rs.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Catches the workspace and the extension manifests up to the v0.5.x
release line (was still showing 0.2.0).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The groups-cache opt-out is a developer debugging knob, not a
user-facing config. Gating the env-var lookup behind cfg!(debug_assertions)
makes release builds ignore the variable; the optimiser removes the
lookup entirely, so the variable name doesn't appear in release binary
strings output.
Doc-comments updated to reflect the new behaviour.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Remove device from devices.json
- Append to revoked.json with timestamp and revoked_by
- Delete Gitea deploy key (best-effort, warns if env vars missing)
- Always commit both devices.json and revoked.json together
- Print revoked signing public key for audit confirmation
- Guard against revoking the current device (would lose push access)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
per_vault_soft_cap_bytes and per_vault_hard_cap_bytes were defined in
VaultSettings but never checked. Now enforced in cmd_attach with
warning at soft cap, error at hard cap.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Control characters (newlines, tabs) in item titles corrupted git log
output. Now strips control chars and truncates to 50 chars.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Crafted .relbak files with IDs like "../../.bashrc" could escape the
target directory. Now validates that item/attachment IDs are hex-only
via is_valid() before any fs::write.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RELICARIO_TEST_PASSPHRASE and friends were checked in production code,
exposing the passphrase via /proc/<pid>/environ and shell history.
Now only compiled into debug binaries via cfg(debug_assertions) helper
functions. Release builds compile the helpers to return None, so the
env var names are absent from the release binary (verified via strings).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Brand name uses capital R in user-facing text — extension UI strings,
CLI clap help / descriptions / error prose, markdown docs. Lowercase
preserved for the binary command, crate names, npm package, file
paths, env vars, and code identifiers.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- import_lastpass.rs: note that password and extra are intentionally
not trimmed (leading/trailing whitespace is significant for both).
- cmd_import_lastpass: document the coupling between the
ImportWarning message strings and the CLI summary's "skipped"
filter — partial-import warnings (TOTP/URL) must not contain
the word "skipped".
Comment-only; no behavior change. Catches I1 and M5 from the
final code review without taking on the cross-cut WarningKind
enum refactor (deferred to a follow-up if it ever ships).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Unlocks the vault, parses the CSV, encrypts each item, writes
items/<id>.enc and manifest.enc, then a single
`git add … && git commit` covers all of them. Stderr progress
every 50 items + final summary. Exit non-zero only when zero
items imported.
Adds the Import command group with a Lastpass subcommand.
Stub returns `not implemented` so the help text is reachable
ahead of the body landing in Task 8.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Locks the singular vs plural transition (1 minute ago vs 2 minutes
ago) and each bucket boundary (59→60s minutes, 3599→3600s hours,
86400→86400×2 days, etc.) so future tweaks can't silently regress
the user-facing labels.
Drop the dead `stdout.contains("last export:")` + `.to_lowercase()` fallback
in status_shows_last_backup_line and status_shows_recent_backup_after_export;
assert `stdout.contains("Last export:")` verbatim instead.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reads .relicario/last_backup (written by cmd_backup_export). Format:
'never' for fresh vaults, '4 days ago' otherwise. Closes the
'is my backup stale?' question without leaving the terminal.
Refuses non-empty target, prompts for backup passphrase, writes the
full vault layout, untars .git/ when bundled or git-inits a fresh
'restore from backup <iso8601>' commit otherwise.
Also tightens error context on tar_directory's builder.finish().
Reads the vault layout from disk, prompts for backup passphrase
(zxcvbn-gated, independent of the live vault key), tars .git/
unless --no-history, optionally bundles the reference JPEG, and
atomic-writes the .relbak. Leaves .relicario/last_backup marker
for cmd_status.
