alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: alee:feature/enterprise-org-vault-dev-a
Branches Tags
alee:main alee:feature/org-vault-a5-docs alee:feature/org-vault-doc-elevation-fix alee:feature/enterprise-org-vault-dev-a alee:feature/cli-tail-stream-b-session-manifest alee:feature/cli-tail-stream-c-core-wasm-seam alee:feature/cli-tail-stream-a-prompt-helpers alee:feature/arch-followup-stream-a-security-polish alee:feature/v0.5.1-stream-b-settings alee:feature/v0.5.1-stream-a-layout alee:feature/v0.5.1-stream-c-recovery-qr alee:feature/v0.5.0-plan-a-security-cleanup alee:feature/v0.5.0-plan-b-extension-ux
alee:v0.8.0 alee:v0.7.0 alee:v0.6.0 alee:plan-1c-beta2-complete alee:plan-1c-beta1-complete alee:plan-1c-alpha-complete alee:plan-1b-cli-wasm-complete
...
pull from: alee:feature/org-vault-doc-elevation-fix
Branches Tags
alee:main alee:feature/org-vault-a5-docs alee:feature/org-vault-doc-elevation-fix alee:feature/enterprise-org-vault-dev-a alee:feature/cli-tail-stream-b-session-manifest alee:feature/cli-tail-stream-c-core-wasm-seam alee:feature/cli-tail-stream-a-prompt-helpers alee:feature/arch-followup-stream-a-security-polish alee:feature/v0.5.1-stream-b-settings alee:feature/v0.5.1-stream-a-layout alee:feature/v0.5.1-stream-c-recovery-qr alee:feature/v0.5.0-plan-a-security-cleanup alee:feature/v0.5.0-plan-b-extension-ux
alee:v0.8.0 alee:v0.7.0 alee:v0.6.0 alee:plan-1c-beta2-complete alee:plan-1c-beta1-complete alee:plan-1c-alpha-complete alee:plan-1b-cli-wasm-complete

17 Commits
feature/en ... feature/or

Author SHA1 Message Date
adlee-was-taken
519e503cbd docs(plan,spec): align enforce_owner_only_elevation to shipped parent-role authority 
The plan's pre-receive-hook pseudocode judged owner-elevation authority on the
post-change `signer.role` (so a self-promoting Admin reads as Owner in the same
commit and self-authorizes the promotion — the exact escalation the gate exists
to stop). f249395 had fixed only the skip-predicate, leaving this final check
vulnerable. Align the plan's `enforce_owner_only_elevation` to the SHIPPED fix
(relicario-server/src/main.rs, aace6f1): derive `signer_may_manage_owners` from
`signer_parent = parent_role(signer.member_id)` (the signer's PRE-commit role;
None -> reject; genesis allowed) and gate on that, never the post-change role.

The spec was already policy-correct in prose ("a member-role-change granting
owner/admin must be signed by an owner") and did NOT carry the vulnerable
implementation detail; strengthened it with an explicit pre-commit-role note so
the design record pins the property and no one re-derives the vulnerable form.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy
 2026-06-20 13:45:04 -04:00
adlee-was-taken
cdb008c900 merge(cli): dev-b B7 (rotate-key) + B8 (status/audit) — reviewed; rotate re-encrypts all blobs, owner-only, concurrent-rotation abort 2026-06-20 13:40:36 -04:00
adlee-was-taken
053062effd feat(cli/org): status + audit (verified-signer attribution, TAMPERED flag, committer-date framing) 2026-06-20 13:24:35 -04:00
adlee-was-taken
3b6dbbe353 fix(cli/org): rotate-key writes member key blobs atomically (crash-safe) 2026-06-20 13:17:16 -04:00
adlee-was-taken
558da3bd75 feat(cli/org): rotate-key — re-encrypt every item blob + abort on concurrent rotation 2026-06-20 12:58:00 -04:00
adlee-was-taken
9c43f223f5 merge(cli): dev-b org stream B1-B6 — session, init, member/collection admin commands (dormant until B14 wiring) 2026-06-20 12:51:37 -04:00
adlee-was-taken
1c177871a7 feat(cli/org): create-collection, grant, revoke commands 2026-06-20 12:44:32 -04:00
adlee-was-taken
1ad8eb0918 feat(cli/org): add-member (owner-only escalation guard), remove-member, set-role 2026-06-20 12:38:48 -04:00
adlee-was-taken
aace6f132a harden(server): explicit verify-commit success gate + non-member/genesis hook tests 
- verify_org_signer now rejects on a non-zero git verify-commit exit instead of
  relying on the stderr fingerprint regex alone (PM hardening note 1).
- org_hook_signed: add commit_signed_by_non_member_is_rejected (exercises the
  signature rejection path) and genesis_bootstrap_with_sole_owner_is_accepted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-20 12:36:04 -04:00
adlee-was-taken
dbdb3f6ab0 refactor(cli/org): align org init main.rs wiring to OrgCommands + global --dir (B14-shaped) + assert org-init trailer 2026-06-20 12:33:07 -04:00
adlee-was-taken
7faedf8578 feat(cli/org): org init — structure + wrap + configure_git_signing + signed bootstrap commit 2026-06-20 10:27:08 -04:00
adlee-was-taken
ccb58d8bb5 feat(server): verify-org-commit — signature + path-scoped role/grant auth + owner-only elevation (parent-role authority) + schema monotonicity + generate-org-hook 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-20 10:21:15 -04:00
adlee-was-taken
570b0ddcd3 feat(cli/org): UnlockedOrgVault session (collection-scoped item_path, fingerprint match, signed org_git_run) 2026-06-20 09:48:15 -04:00
adlee-was-taken
7daedb33e0 feat(cli/org): org commands module stub + pub mod wiring 2026-06-20 09:43:43 -04:00
adlee-was-taken
17df315f0e feat(cli/device): current_device_seed + current_device_pubkey helpers 
Read the active device's ed25519 seed/pubkey from
devices/<name>/signing.{key,pub}. Adds ssh-key (0.6) as a CLI dep
(already at 0.6.7 in the workspace lock via relicario-core) and
ed25519-dalek as a dev-dep for the round-trip test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-20 09:43:43 -04:00
adlee-was-taken
2dd5d79f36 refactor(server): fold in PM review notes on classify_path 
- classify_path now Rejects a collection slug containing '.' (mirrors
  OrgCollections::validate, plan L317, and item_path's documented contract,
  plan L990). Unreachable today since git normalizes './' away, but keeps the
  pre-receive hook self-defensive against path traversal.
- Rename test item_write_nested_slug_takes_leading_segment_only ->
  item_write_nested_slug_is_rejected (it asserts Rejected; old name misled).
- Add dotted_slug_is_rejected covering the new guard.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01M5brcDrT35r5GaJySXD5ja
 2026-06-20 00:04:39 -04:00
adlee-was-taken
675b7836e1 feat(server): lib target + pure org-hook helpers (classify_path, extract_schema_version) + unit tests 2026-06-20 00:04:39 -04:00
16 changed files with 2186 additions and 6 deletions
Expand all files Collapse all files

3
Cargo.lock generated
View File

@@ -2166,17 +2166,20 @@ dependencies = [
"clap_complete", "clap_complete",
"data-encoding", "data-encoding",
"dirs", "dirs",
"ed25519-dalek",
"hex", "hex",
"image", "image",
"predicates", "predicates",
"qrcode", "qrcode",
"rand", "rand",
"regex",
"relicario-core", "relicario-core",
"reqwest", "reqwest",
"rpassword", "rpassword",
"rqrr", "rqrr",
"serde", "serde",
"serde_json", "serde_json",
"ssh-key",
"tar", "tar",
"tempfile", "tempfile",
"url", "url",

5
crates/relicario-cli/Cargo.toml
View File

@@ -30,9 +30,12 @@ image = { version = "0.25", default-features = false, features = ["jpeg", "png"]
rqrr = "0.7" rqrr = "0.7"
reqwest = { version = "0.12", features = ["blocking", "json"] } reqwest = { version = "0.12", features = ["blocking", "json"] }
qrcode = { version = "0.14", features = ["svg"] } qrcode = { version = "0.14", features = ["svg"] }
ssh-key = { version = "0.6", features = ["ed25519", "std"] }
regex = "1"
tempfile = "3"
[dev-dependencies] [dev-dependencies]
assert_cmd = "2" assert_cmd = "2"
predicates = "3" predicates = "3"
tempfile = "3"
serde_json = "1" serde_json = "1"
ed25519-dalek = "2"

1
crates/relicario-cli/src/commands/mod.rs
View File

@@ -14,6 +14,7 @@ pub mod edit;
pub mod generate; pub mod generate;
pub mod get; pub mod get;
pub mod import; pub mod import;
pub mod org;
pub mod init; pub mod init;
pub mod list; pub mod list;
pub mod rate; pub mod rate;

757
crates/relicario-cli/src/commands/org.rs Normal file
View File

@@ -0,0 +1,757 @@
//! `relicario org` subcommands for multi-user org vault management.
use std::fs;
use std::path::Path;
use anyhow::{Context, Result};
use relicario_core::{
generate_org_key, wrap_org_key,
CollectionDef, MemberId, OrgCollections, OrgManifest, OrgMembers, OrgMeta, OrgRole, OrgMember,
encrypt_org_manifest,
};
use crate::org_session::atomic_write;
pub fn run_init(dir: &Path, name: &str) -> Result<()> {
// Create directory structure
fs::create_dir_all(dir.join("items")).context("create items/")?;
fs::create_dir_all(dir.join("keys")).context("create keys/")?;
// Get caller's device info
let device_pubkey = crate::device::current_device_pubkey()
.context("read device key — run `relicario device add` first")?;
// Generate org master key
let org_key = generate_org_key();
// Wrap org key to caller's device key
let wrapped = wrap_org_key(&org_key, &device_pubkey)
.context("wrap org key to device key")?;
// Create initial members.json with caller as owner
let caller_id = MemberId::new();
let now = relicario_core::now_unix();
let member = OrgMember {
member_id: caller_id.clone(),
display_name: whoami(),
role: OrgRole::Owner,
ed25519_pubkey: device_pubkey,
collections: vec![],
added_at: now,
added_by: caller_id.clone(),
};
let mut members = OrgMembers::new();
members.members.push(member);
// Write wrapped key
let key_path = dir.join("keys").join(format!("{}.enc", caller_id.as_str()));
fs::write(&key_path, &wrapped).context("write caller key blob")?;
// Write org.json
let meta = OrgMeta::new(name.to_string());
let meta_json = serde_json::to_string_pretty(&meta)?;
atomic_write(&dir.join("org.json"), meta_json.as_bytes())?;
// Write members.json
let members_json = serde_json::to_string_pretty(&members)?;
atomic_write(&dir.join("members.json"), members_json.as_bytes())?;
// Write collections.json (empty)
let collections = OrgCollections::new();
let coll_json = serde_json::to_string_pretty(&collections)?;
atomic_write(&dir.join("collections.json"), coll_json.as_bytes())?;
// Write empty manifest.enc
let manifest = OrgManifest::new();
let manifest_bytes = encrypt_org_manifest(&manifest, &org_key)?;
atomic_write(&dir.join("manifest.enc"), &manifest_bytes)?;
// git init, then configure THIS repo to sign commits with the active device
// key. Org commits must be signed; the pre-receive hook verifies every one.
crate::helpers::git_run(dir, &["init"], "git init")?;
let device_name = crate::device::current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
crate::device::configure_git_signing(dir, &device_name)
.context("configure org repo signing")?;
// Stage everything and make the signed bootstrap commit via org_git_run
// (which does NOT disable signing, unlike helpers::git_run).
crate::org_session::org_git_run(dir, &["add", "."], "git add")?;
let commit_msg = format!(
"init: org vault \"{name}\"\n\nRelicario-Actor: {} {}\nRelicario-Action: org-init",
members.members[0].display_name,
caller_id.as_str()
);
crate::org_session::org_git_run(dir, &["commit", "-m", &commit_msg], "git commit")?;
println!("Org vault initialized at {}", dir.display());
println!("Your member ID: {}", caller_id.as_str());
Ok(())
}
fn whoami() -> String {
std::env::var("USER")
.or_else(|_| std::env::var("USERNAME"))
.unwrap_or_else(|_| "unknown".into())
}
pub fn run_add_member(
dir: &Path,
pubkey: &str,
name: &str,
role: OrgRole,
) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can add members");
}
// Privilege-escalation guard: only an owner may create an owner or admin.
if matches!(role, OrgRole::Owner | OrgRole::Admin) && !caller.role.can_manage_owners() {
anyhow::bail!("only owners can add members with the owner or admin role");
}
let mut members = vault.load_members()?;
// Check pubkey not already present
if members.members.iter().any(|m| m.ed25519_pubkey.trim() == pubkey.trim()) {
anyhow::bail!("this public key is already registered in the org");
}
let new_id = MemberId::new();
let now = relicario_core::now_unix();
let wrapped = wrap_org_key(vault.key(), pubkey)
.context("wrap org key to new member's key")?;
fs::write(vault.member_key_path(&new_id), &wrapped)
.context("write member key blob")?;
members.members.push(OrgMember {
member_id: new_id.clone(),
display_name: name.to_string(),
role,
ed25519_pubkey: pubkey.trim().to_string(),
collections: vec![],
added_at: now,
added_by: caller.member_id.clone(),
});
vault.save_members(&members)?;
let commit_msg = format!(
"org: add member \"{name}\"\n\nRelicario-Actor: {} {}\nRelicario-Action: member-add\nRelicario-Member: {}",
caller.display_name, caller.member_id.as_str(), new_id.as_str()
);
crate::org_session::org_git_run(
&vault.root,
&["add", "members.json", &format!("keys/{}.enc", new_id.as_str())],
"git add",
)?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Added {} ({})", name, new_id.as_str());
Ok(())
}
pub fn run_remove_member(dir: &Path, member_id_prefix: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can remove members");
}
let mut members = vault.load_members()?;
let target_id = resolve_member_id(&members, member_id_prefix)?;
let target = members.find_by_id(&target_id).unwrap();
if target.role == OrgRole::Owner && !caller.role.can_manage_owners() {
anyhow::bail!("only owners can remove other owners");
}
let target_name = target.display_name.clone();
// Delete key blob
let key_path = vault.member_key_path(&target_id);
if key_path.exists() { fs::remove_file(&key_path).context("delete key blob")?; }
members.members.retain(|m| m.member_id != target_id);
vault.save_members(&members)?;
let commit_msg = format!(
"org: remove member \"{target_name}\"\n\nRelicario-Actor: {} {}\nRelicario-Action: member-remove\nRelicario-Member: {}",
caller.display_name, caller.member_id.as_str(), target_id.as_str()
);
crate::org_session::org_git_run(
&vault.root,
&["add", "members.json", &format!("keys/{}.enc", target_id.as_str())],
"git add",
)?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
eprintln!("⚠ Run `relicario org rotate-key --dir {}` to complete revocation.", vault.root.display());
println!("Removed {}", target_name);
Ok(())
}
pub fn run_set_role(dir: &Path, member_id_prefix: &str, role: OrgRole) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let mut members = vault.load_members()?;
let target_id = resolve_member_id(&members, member_id_prefix)?;
if matches!(role, OrgRole::Admin | OrgRole::Owner) && !caller.role.can_manage_owners() {
anyhow::bail!("only owners can promote to admin or owner");
}
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can change roles");
}
let target = members.find_by_id_mut(&target_id)
.ok_or_else(|| anyhow::anyhow!("member not found"))?;
let old_role = target.role;
target.role = role;
vault.save_members(&members)?;
let commit_msg = format!(
"org: set role {}{:?}\n\nRelicario-Actor: {} {}\nRelicario-Action: member-role-change\nRelicario-Member: {}",
target_id.as_str(), role,
caller.display_name, caller.member_id.as_str(),
target_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", "members.json"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Changed role {:?}{:?}", old_role, role);
Ok(())
}
pub fn run_create_collection(dir: &Path, slug: &str, display_name: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can create collections");
}
let mut collections = vault.load_collections()?;
if collections.contains_slug(slug) {
anyhow::bail!("collection `{slug}` already exists");
}
if slug.is_empty() || slug.contains('/') || slug.contains('.') {
anyhow::bail!("invalid slug `{slug}` — no slashes or dots, no empty string");
}
collections.collections.push(CollectionDef {
slug: slug.to_string(),
display_name: display_name.to_string(),
created_by: caller.member_id.clone(),
created_at: relicario_core::now_unix(),
});
vault.save_collections(&collections)?;
let commit_msg = format!(
"org: create collection \"{slug}\"\n\nRelicario-Actor: {} {}\nRelicario-Action: collection-create\nRelicario-Collection: {slug}",
caller.display_name, caller.member_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", "collections.json"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Created collection `{slug}`");
Ok(())
}
pub fn run_grant(dir: &Path, member_id_prefix: &str, slug: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can grant collection access");
}
let collections = vault.load_collections()?;
if !collections.contains_slug(slug) {
anyhow::bail!("collection `{slug}` does not exist — create it first");
}
let mut members = vault.load_members()?;
let target_id = resolve_member_id(&members, member_id_prefix)?;
let target = members.find_by_id_mut(&target_id).unwrap();
if target.collections.contains(&slug.to_string()) {
anyhow::bail!("member already has access to `{slug}`");
}
target.collections.push(slug.to_string());
vault.save_members(&members)?;
let commit_msg = format!(
"org: grant {slug} to {}\n\nRelicario-Actor: {} {}\nRelicario-Action: collection-grant\nRelicario-Collection: {slug}\nRelicario-Member: {}",
target_id.as_str(), caller.display_name, caller.member_id.as_str(), target_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", "members.json"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Granted `{slug}` to {}", target_id.as_str());
Ok(())
}
pub fn run_revoke(dir: &Path, member_id_prefix: &str, slug: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_members() {
anyhow::bail!("only owners and admins can revoke collection access");
}
let mut members = vault.load_members()?;
let target_id = resolve_member_id(&members, member_id_prefix)?;
let target = members.find_by_id_mut(&target_id).unwrap();
if !target.collections.contains(&slug.to_string()) {
anyhow::bail!("member does not have access to `{slug}`");
}
target.collections.retain(|s| s != slug);
vault.save_members(&members)?;
let commit_msg = format!(
"org: revoke {slug} from {}\n\nRelicario-Actor: {} {}\nRelicario-Action: collection-revoke\nRelicario-Collection: {slug}\nRelicario-Member: {}",
target_id.as_str(), caller.display_name, caller.member_id.as_str(), target_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", "members.json"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Revoked `{slug}` from {}", target_id.as_str());
Ok(())
}
/// Resolve a member_id prefix (or full ID) to a MemberId.
fn resolve_member_id(members: &OrgMembers, prefix: &str) -> Result<MemberId> {
let hits: Vec<_> = members.members.iter()
.filter(|m| m.member_id.as_str().starts_with(prefix))
.collect();
match hits.len() {
0 => anyhow::bail!("no member matches `{prefix}`"),
1 => Ok(hits[0].member_id.clone()),
_ => anyhow::bail!("ambiguous prefix `{prefix}` — {} matches", hits.len()),
}
}
pub fn run_rotate_key(dir: &Path) -> Result<()> {
// Pull latest state first to detect a concurrent rotation. We must
// distinguish three outcomes:
// * success -> proceed
// * no upstream / no remote -> local-only org, proceed
// * non-fast-forward / conflict -> concurrent rotation, ABORT
let pull = std::process::Command::new("git")
.current_dir(dir)
.args(["pull", "--rebase"])
.output()
.context("spawn git pull --rebase")?;
if !pull.status.success() {
let stderr = String::from_utf8_lossy(&pull.stderr);
let no_upstream = stderr.contains("no tracking information")
|| stderr.contains("There is no tracking information")
|| stderr.contains("does not appear to be a git repository")
|| stderr.contains("Could not read from remote repository")
|| stderr.contains("No remote repository specified");
if no_upstream {
eprintln!("Note: no upstream configured; proceeding with local state.");
} else {
// Best-effort: leave the working tree clean for the retry.
let _ = std::process::Command::new("git")
.current_dir(dir)
.args(["rebase", "--abort"])
.output();
anyhow::bail!(
"Concurrent key rotation detected — pull and re-run org rotate-key."
);
}
}
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_owners() {
anyhow::bail!("only owners can rotate the org master key");
}
let members = vault.load_members()?;
let new_org_key = relicario_core::generate_org_key();
// Re-wrap the org key for every current member.
let mut staged_paths: Vec<String> = Vec::new();
for member in &members.members {
let wrapped = wrap_org_key(&new_org_key, &member.ed25519_pubkey)
.with_context(|| format!("wrap key for {}", member.display_name))?;
let key_path = vault.member_key_path(&member.member_id);
crate::org_session::atomic_write(&key_path, &wrapped)
.with_context(|| format!("write key for {}", member.display_name))?;
staged_paths.push(format!("keys/{}.enc", member.member_id.as_str()));
}
// Re-encrypt EVERY item blob under the new key. Items live collection-scoped
// at items/<collection-slug>/<id>.enc. Decrypt with the old key (held in the
// open vault session) and re-encrypt with the new one, in place. Without this
// a removed member who kept the old key + a clone could still decrypt every
// pre-rotation item.
let items_root = vault.root().join("items");
if items_root.is_dir() {
for slug_entry in fs::read_dir(&items_root).context("read items/")? {
let slug_entry = slug_entry.context("read items/ entry")?;
let slug_dir = slug_entry.path();
if !slug_dir.is_dir() {
continue;
}
let slug = slug_entry.file_name().to_string_lossy().to_string();
for item_entry in fs::read_dir(&slug_dir)
.with_context(|| format!("read items/{slug}/"))?
{
let item_entry = item_entry.context("read item entry")?;
let item_path = item_entry.path();
if item_path.extension().and_then(|e| e.to_str()) != Some("enc") {
continue;
}
let old_bytes = fs::read(&item_path)
.with_context(|| format!("read {}", item_path.display()))?;
let item = relicario_core::decrypt_item(&old_bytes, vault.key())
.with_context(|| format!("decrypt {}", item_path.display()))?;
let new_bytes = relicario_core::encrypt_item(&item, &new_org_key)
.with_context(|| format!("re-encrypt {}", item_path.display()))?;
crate::org_session::atomic_write(&item_path, &new_bytes)?;
let file_name = item_entry.file_name().to_string_lossy().to_string();
staged_paths.push(format!("items/{slug}/{file_name}"));
}
}
}
// Re-encrypt the manifest with the new key.
let manifest = vault.load_manifest()?;
let new_manifest_bytes = relicario_core::encrypt_org_manifest(&manifest, &new_org_key)?;
crate::org_session::atomic_write(&vault.manifest_path(), &new_manifest_bytes)?;
staged_paths.push("manifest.enc".to_string());
// Commit
let mut add_args = vec!["add"];
let path_refs: Vec<&str> = staged_paths.iter().map(|s| s.as_str()).collect();
add_args.extend_from_slice(&path_refs);
crate::org_session::org_git_run(&vault.root, &add_args, "git add")?;
let commit_msg = format!(
"org: rotate org master key\n\nRelicario-Actor: {} {}\nRelicario-Action: key-rotate",
caller.display_name, caller.member_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!(
"Key rotated. {} member key(s) re-wrapped; all item blobs + manifest re-encrypted.",
members.members.len()
);
Ok(())
}
pub fn run_status(dir: &Path) -> Result<()> {
let root = crate::org_session::org_dir(Some(dir))?;
let meta: relicario_core::OrgMeta = {
let s = fs::read_to_string(root.join("org.json")).context("read org.json")?;
serde_json::from_str(&s)?
};
let members: OrgMembers = {
let s = fs::read_to_string(root.join("members.json")).context("read members.json")?;
serde_json::from_str(&s)?
};
let collections: OrgCollections = {
let s = fs::read_to_string(root.join("collections.json")).context("read collections.json")?;
serde_json::from_str(&s)?
};
println!("Org: {} ({})", meta.display_name, meta.org_id.as_str());
println!();
println!("Members ({}):", members.members.len());
for m in &members.members {
let colls = if m.collections.is_empty() {
"(no collections)".to_string()
} else {
m.collections.join(", ")
};
println!(" {:?} {} {} [{}]", m.role, m.member_id.as_str(), m.display_name, colls);
}
println!();
println!("Collections ({}):", collections.collections.len());
for c in &collections.collections {
println!(" {}{}", c.slug, c.display_name);
}
Ok(())
}
#[derive(Debug, serde::Serialize)]
pub struct AuditEvent {
pub commit: String,
pub timestamp: String,
/// Actor as resolved from the VERIFIED signing key (authoritative).
pub actor_name: Option<String>,
pub actor_id: Option<String>,
/// Actor id as CLAIMED by the commit trailer (advisory; for tamper-checking).
pub trailer_actor_id: Option<String>,
pub action: Option<String>,
pub collection: Option<String>,
pub item_id: Option<String>,
pub device_id: Option<String>,
/// True when the trailer's claimed actor disagrees with the verified signer,
/// or when no current member matches the signing key.
pub tampered: bool,
}
fn parse_trailer_block(commit: &str, timestamp: &str, trailers: &str) -> AuditEvent {
let mut ev = AuditEvent {
commit: commit.to_string(),
timestamp: timestamp.to_string(),
actor_name: None,
actor_id: None,
trailer_actor_id: None,
action: None,
collection: None,
item_id: None,
device_id: None,
tampered: false,
};
for line in trailers.lines() {
let line = line.trim();
if let Some(rest) = line.strip_prefix("Relicario-Actor:") {
// Contract format: "<name> <member_id>" (member_id is the last token).
let rest = rest.trim();
if let Some((_name, id)) = rest.rsplit_once(' ') {
ev.trailer_actor_id = Some(id.trim().to_string());
} else if !rest.is_empty() {
ev.trailer_actor_id = Some(rest.to_string());
}
} else if let Some(v) = line.strip_prefix("Relicario-Action:") {
ev.action = Some(v.trim().to_string());
} else if let Some(v) = line.strip_prefix("Relicario-Collection:") {
ev.collection = Some(v.trim().to_string());
} else if let Some(v) = line.strip_prefix("Relicario-Item:") {
ev.item_id = Some(v.trim().to_string());
} else if let Some(v) = line.strip_prefix("Relicario-Device:") {
ev.device_id = Some(v.trim().to_string());
}
}
ev
}
/// Resolve a commit's SSH signature fingerprint to a current member, mirroring
/// the pre-receive hook: build an allowed_signers from members.json, inject it
/// via GIT_CONFIG_*, run `git verify-commit --raw`, parse the SHA256: key from
/// stderr. Returns None if the commit is unsigned or the signer is not a member.
fn resolve_signer<'m>(
root: &Path,
commit: &str,
members: &'m relicario_core::OrgMembers,
) -> Option<&'m relicario_core::OrgMember> {
use std::io::Write;
let mut tmp = tempfile::NamedTempFile::new().ok()?;
for m in &members.members {
let _ = writeln!(tmp, "relicario {}", m.ed25519_pubkey.trim());
}
let allowed_path = tmp.path();
let output = std::process::Command::new("git")
.current_dir(root)
.args(["verify-commit", "--raw", commit])
.env("GIT_CONFIG_COUNT", "1")
.env("GIT_CONFIG_KEY_0", "gpg.ssh.allowedSignersFile")
.env("GIT_CONFIG_VALUE_0", allowed_path.as_os_str())
.output()
.ok()?;
let stderr = String::from_utf8_lossy(&output.stderr);
let re = regex::Regex::new(r"key (SHA256:[A-Za-z0-9+/]+)").ok()?;
let fp = re.captures(&stderr)?.get(1)?.as_str().to_string();
members.members.iter().find(|m| {
relicario_core::fingerprint(&m.ed25519_pubkey).ok().as_deref() == Some(fp.as_str())
})
}
pub fn run_audit(
dir: &Path,
since: Option<&str>,
member_filter: Option<&str>,
collection_filter: Option<&str>,
action_filter: Option<&str>,
format: &str,
) -> Result<()> {
// Spec surface is `--format <table|json>` (default table). Accept only those.
let json = match format {
"json" => true,
"table" => false,
other => anyhow::bail!("unknown --format `{other}` — use table or json"),
};
let root = crate::org_session::org_dir(Some(dir))?;
// members.json — needed to resolve each commit's verified signer to a member.
let members: relicario_core::OrgMembers = {
let s = fs::read_to_string(root.join("members.json")).context("read members.json")?;
serde_json::from_str(&s).context("parse members.json")?
};
// git log framed with a record separator (%x1e, U+001E) PER COMMIT and a
// field separator (%x1f, U+001F) between fields, so multi-line trailer
// values cannot misalign record boundaries. Committer date (%cI), not
// author date: it is what revocation/audit is anchored to.
let fmt = "%x1e%H%x1f%cI%x1f%(trailers:only=true,unfold=true)";
let mut args: Vec<String> = vec!["log".into(), format!("--format={fmt}")];
if let Some(s) = since {
args.push(format!("--since={s}"));
}
let output = std::process::Command::new("git")
.current_dir(&root)
.args(&args)
.output()
.context("git log")?;
let log = String::from_utf8_lossy(&output.stdout);
let mut events: Vec<AuditEvent> = Vec::new();
for record in log.split('\u{1e}') {
let record = record.trim_start_matches('\n');
if record.trim().is_empty() {
continue;
}
let mut fields = record.splitn(3, '\u{1f}');
let commit = fields.next().unwrap_or("").trim();
let ts = fields.next().unwrap_or("").trim();
let trailers = fields.next().unwrap_or("");
if commit.is_empty() {
continue;
}
let mut ev = parse_trailer_block(commit, ts, trailers);
if ev.action.is_none() {
continue; // not an org commit
}
// Resolve the VERIFIED signer and attribute it as the authoritative actor.
match resolve_signer(&root, commit, &members) {
Some(m) => {
ev.actor_name = Some(m.display_name.clone());
ev.actor_id = Some(m.member_id.as_str().to_string());
// Tampered if the trailer claims a different actor than the signer.
if let Some(claimed) = ev.trailer_actor_id.as_deref() {
if claimed != m.member_id.as_str() {
ev.tampered = true;
}
}
}
None => {
// No current member matched the signature -> cannot trust the
// trailer's claimed actor.
ev.tampered = true;
}
}
if let Some(mid) = member_filter {
// Filter on the VERIFIED actor id, not the spoofable trailer.
if ev.actor_id.as_deref() != Some(mid) {
continue;
}
}
if let Some(col) = collection_filter {
if ev.collection.as_deref() != Some(col) {
continue;
}
}
if let Some(act) = action_filter {
if ev.action.as_deref() != Some(act) {
continue;
}
}
events.push(ev);
}
if json {
println!("{}", serde_json::to_string_pretty(&events)?);
} else {
println!("{:<44} {:<26} {:<20} {:<18} {}", "COMMIT", "TIMESTAMP", "ACTION", "ACTOR", "FLAG");
for ev in &events {
println!("{:<44} {:<26} {:<20} {:<18} {}",
ev.commit,
ev.timestamp,
ev.action.as_deref().unwrap_or("-"),
ev.actor_name.as_deref().unwrap_or("<unverified>"),
if ev.tampered { "TAMPERED" } else { "" },
);
}
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
use relicario_core::{MemberId, OrgMembers, OrgRole, OrgMember};
#[test]
fn parse_trailers_extracts_relicario_fields() {
// Contract trailer shape: "Relicario-Actor: <name> <member_id>".
let raw = "Relicario-Actor: alice a1b2c3d4e5f6a1b2\nRelicario-Action: item-create\nRelicario-Collection: prod\n";
let event = parse_trailer_block("abc123", "2026-06-06T12:00:00+00:00", raw);
assert_eq!(event.action.as_deref(), Some("item-create"));
assert_eq!(event.collection.as_deref(), Some("prod"));
// The verified actor_id is resolved later from the signature, not the trailer;
// the trailer only populates trailer_actor_id here.
assert_eq!(event.trailer_actor_id.as_deref(), Some("a1b2c3d4e5f6a1b2"));
assert_eq!(event.actor_id, None);
assert!(!event.tampered);
}
fn alice() -> OrgMember {
OrgMember {
member_id: MemberId::new(),
display_name: "Alice".into(),
role: OrgRole::Member,
ed25519_pubkey: "ssh-ed25519 AAAA fake".into(),
collections: vec![],
added_at: 0,
added_by: MemberId::new(),
}
}
#[test]
fn new_key_differs_from_old_key() {
let k1 = relicario_core::generate_org_key();
let k2 = relicario_core::generate_org_key();
assert_ne!(*k1, *k2);
}
#[test]
fn set_role_changes_role() {
let mut members = OrgMembers::new();
let a = alice();
let id = a.member_id.clone();
members.members.push(a);
if let Some(m) = members.find_by_id_mut(&id) {
m.role = OrgRole::Admin;
}
assert_eq!(members.find_by_id(&id).unwrap().role, OrgRole::Admin);
}
#[test]
fn grant_adds_slug_to_member_collections() {
let mut members = OrgMembers::new();
let a = alice();
let id = a.member_id.clone();
members.members.push(a);
let m = members.find_by_id_mut(&id).unwrap();
if !m.collections.contains(&"prod".to_string()) {
m.collections.push("prod".to_string());
}
assert!(members.find_by_id(&id).unwrap().collections.contains(&"prod".to_string()));
}
#[test]
fn revoke_removes_slug_from_member_collections() {
let mut members = OrgMembers::new();
let mut a = alice();
a.collections = vec!["prod".into(), "dev".into()];
let id = a.member_id.clone();
members.members.push(a);
let m = members.find_by_id_mut(&id).unwrap();
m.collections.retain(|s| s != "prod");
assert!(!members.find_by_id(&id).unwrap().collections.contains(&"prod".to_string()));
assert!(members.find_by_id(&id).unwrap().collections.contains(&"dev".to_string()));
}
}

89
crates/relicario-cli/src/device.rs
View File

@@ -99,6 +99,48 @@ pub fn load_signing_key(name: &str) -> Result<Zeroizing<String>> {
Ok(Zeroizing::new(key)) Ok(Zeroizing::new(key))
} }
/// Read the active device's ed25519 public key (OpenSSH single-line format,
/// e.g. `ssh-ed25519 AAAA... comment`) from `signing.pub`.
///
/// Errors if no device is selected (`devices/current` missing/empty) — the
/// caller should hint the user to run `relicario device add` first.
pub fn current_device_pubkey() -> Result<String> {
let name = current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
let path = device_dir(&name)?.join("signing.pub");
let pubkey = fs::read_to_string(&path)
.with_context(|| format!("read signing.pub for device '{name}'"))?;
let trimmed = pubkey.trim();
if trimmed.is_empty() {
anyhow::bail!("signing.pub for device '{name}' is empty");
}
Ok(trimmed.to_string())
}
/// Read the active device's 32-byte ed25519 seed from `signing.key`
/// (OpenSSH private-key format).
///
/// The seed is the secret scalar used to sign org commits and to unwrap the
/// org key. It is returned in `Zeroizing` so it is wiped on drop. Errors if no
/// device is selected, the key file is unreadable, or the key is not ed25519.
pub fn current_device_seed() -> Result<Zeroizing<[u8; 32]>> {
let name = current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
// load_signing_key reads signing.key as OpenSSH private-key text.
let pem = load_signing_key(&name)?;
let private = ssh_key::PrivateKey::from_openssh(pem.as_str())
.map_err(|e| anyhow::anyhow!("parse signing.key for device '{name}': {e}"))?;
let keypair = private
.key_data()
.ed25519()
.ok_or_else(|| anyhow::anyhow!("signing.key for device '{name}' is not ed25519"))?;
// Ed25519PrivateKey::as_ref() yields &[u8; 32] (verified: ssh-key 0.6.7
// private/ed25519.rs:42). Copy into a Zeroizing array so the seed is wiped.
let mut seed = Zeroizing::new([0u8; 32]);
seed.copy_from_slice(keypair.private.as_ref());
Ok(seed)
}
/// Load the deploy private key for a device. /// Load the deploy private key for a device.
#[allow(dead_code)] #[allow(dead_code)]
pub fn load_deploy_key(name: &str) -> Result<Zeroizing<String>> { pub fn load_deploy_key(name: &str) -> Result<Zeroizing<String>> {
@@ -127,6 +169,53 @@ pub fn delete_device_keys(name: &str) -> Result<()> {
Ok(()) Ok(())
} }
#[cfg(test)]
mod seed_helper_tests {
use super::*;
use std::sync::Mutex;
// dirs::config_dir() reads process-wide env; serialize these tests.
static ENV_LOCK: Mutex<()> = Mutex::new(());
#[test]
fn current_device_seed_and_pubkey_round_trip() {
let _guard = ENV_LOCK.lock().unwrap();
let tmp = tempfile::tempdir().unwrap();
let prev_xdg = std::env::var_os("XDG_CONFIG_HOME");
std::env::set_var("XDG_CONFIG_HOME", tmp.path());
// Generate a real ed25519 device keypair (OpenSSH text) via core.
let (private_openssh, public_openssh) =
relicario_core::device::generate_keypair().unwrap();
// Lay out devices/test-dev/{signing.key,signing.pub} + devices/current.
let dir = device_dir("test-dev").unwrap();
std::fs::create_dir_all(&dir).unwrap();
std::fs::write(dir.join("signing.key"), private_openssh.as_str()).unwrap();
std::fs::write(dir.join("signing.pub"), &public_openssh).unwrap();
set_current_device("test-dev").unwrap();
// pubkey helper returns exactly the stored OpenSSH public line.
let got_pub = current_device_pubkey().unwrap();
assert_eq!(got_pub.trim(), public_openssh.trim());
// seed helper returns the 32-byte ed25519 seed; re-derive the public
// key from it and confirm it matches.
let seed = current_device_seed().unwrap();
let signing = ed25519_dalek::SigningKey::from_bytes(&seed);
let derived = signing.verifying_key();
let parsed_pub = ssh_key::PublicKey::from_openssh(&public_openssh).unwrap();
let parsed_bytes: &[u8] = parsed_pub.key_data().ed25519().unwrap().as_ref();
assert_eq!(derived.as_bytes().as_slice(), parsed_bytes);
// restore env
match prev_xdg {
Some(v) => std::env::set_var("XDG_CONFIG_HOME", v),
None => std::env::remove_var("XDG_CONFIG_HOME"),
}
}
}
/// Configure git in `vault_root` to: /// Configure git in `vault_root` to:
/// - sign commits with the device's signing key (SSH format) /// - sign commits with the device's signing key (SSH format)
/// - push via SSH using the device's deploy key /// - push via SSH using the device's deploy key

30
crates/relicario-cli/src/main.rs
View File

@@ -9,6 +9,7 @@ mod helpers;
mod parse; mod parse;
mod prompt; mod prompt;
mod session; mod session;
mod org_session;
use std::path::PathBuf; use std::path::PathBuf;
@@ -206,6 +207,15 @@ enum Commands {
#[command(subcommand)] #[command(subcommand)]
cmd: RecoveryQrCmd, cmd: RecoveryQrCmd,
}, },
/// Manage a multi-user org vault.
Org {
/// Path to the org vault directory (overrides RELICARIO_ORG_DIR).
#[arg(long, global = true)]
dir: Option<PathBuf>,
#[command(subcommand)]
subcommand: OrgCommands,
},
} }
#[derive(Subcommand)] #[derive(Subcommand)]
@@ -421,6 +431,16 @@ pub(crate) enum RecoveryQrCmd {
Unwrap, Unwrap,
} }
#[derive(clap::Subcommand)]
pub(crate) enum OrgCommands {
/// Create a new org vault.
Init {
#[arg(long)]
name: String,
},
// Admin + item subcommands are added by later tasks (B10-B14).
}
fn main() -> Result<()> { fn main() -> Result<()> {
let cli = Cli::parse(); let cli = Cli::parse();
match cli.command { match cli.command {
@@ -455,6 +475,16 @@ fn main() -> Result<()> {
Commands::Rate { passphrase } => commands::rate::cmd_rate(passphrase), Commands::Rate { passphrase } => commands::rate::cmd_rate(passphrase),
Commands::Device { action } => commands::device::cmd_device(action), Commands::Device { action } => commands::device::cmd_device(action),
Commands::RecoveryQr { cmd } => commands::recovery_qr::cmd_recovery_qr(cmd), Commands::RecoveryQr { cmd } => commands::recovery_qr::cmd_recovery_qr(cmd),
Commands::Org { dir, subcommand } => {
let dir_path = dir.as_deref();
match subcommand {
OrgCommands::Init { name } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_init(&d, &name)?;
Ok(())
}
}
}
} }
} }

320
crates/relicario-cli/src/org_session.rs Normal file
View File

@@ -0,0 +1,320 @@
//! Unlocked org vault session: holds the org master key for the duration of a
//! CLI invocation.
use std::fs;
use std::path::{Path, PathBuf};
use anyhow::{bail, Context, Result};
use zeroize::Zeroizing;
use relicario_core::{
decrypt_item, decrypt_org_manifest, encrypt_item, encrypt_org_manifest,
Item, ItemId, MemberId, OrgCollections, OrgManifest, OrgMember, OrgMembers, OrgMeta,
};
pub struct UnlockedOrgVault {
pub root: PathBuf,
pub org_key: Zeroizing<[u8; 32]>,
}
impl UnlockedOrgVault {
pub fn root(&self) -> &Path { &self.root }
pub fn key(&self) -> &Zeroizing<[u8; 32]> { &self.org_key }
pub fn manifest_path(&self) -> PathBuf { self.root.join("manifest.enc") }
/// Collection-scoped item path: `items/<collection-slug>/<id>.enc`.
/// The leading slug segment is what the pre-receive hook authorizes against
/// members.json — it never decrypts the blob. The slug must be non-empty and
/// already validated.
pub fn item_path(&self, collection_slug: &str, id: &ItemId) -> PathBuf {
self.root
.join("items")
.join(collection_slug)
.join(format!("{}.enc", id.as_str()))
}
pub fn member_key_path(&self, id: &MemberId) -> PathBuf {
self.root.join("keys").join(format!("{}.enc", id.as_str()))
}
pub fn members_path(&self) -> PathBuf { self.root.join("members.json") }
pub fn collections_path(&self) -> PathBuf { self.root.join("collections.json") }
pub fn org_meta_path(&self) -> PathBuf { self.root.join("org.json") }
pub fn load_meta(&self) -> Result<OrgMeta> {
let s = fs::read_to_string(self.org_meta_path()).context("read org.json")?;
Ok(serde_json::from_str(&s).context("parse org.json")?)
}
pub fn load_members(&self) -> Result<OrgMembers> {
let s = fs::read_to_string(self.members_path()).context("read members.json")?;
Ok(serde_json::from_str(&s).context("parse members.json")?)
}
pub fn save_members(&self, members: &OrgMembers) -> Result<()> {
let json = serde_json::to_string_pretty(members)?;
atomic_write(&self.members_path(), json.as_bytes())
}
pub fn load_collections(&self) -> Result<OrgCollections> {
let s = fs::read_to_string(self.collections_path()).context("read collections.json")?;
Ok(serde_json::from_str(&s).context("parse collections.json")?)
}
pub fn save_collections(&self, collections: &OrgCollections) -> Result<()> {
let json = serde_json::to_string_pretty(collections)?;
atomic_write(&self.collections_path(), json.as_bytes())
}
pub fn load_manifest(&self) -> Result<OrgManifest> {
let bytes = fs::read(self.manifest_path()).context("read manifest.enc")?;
Ok(decrypt_org_manifest(&bytes, &self.org_key)?)
}
pub fn save_manifest(&self, manifest: &OrgManifest) -> Result<()> {
let bytes = encrypt_org_manifest(manifest, &self.org_key)?;
atomic_write(&self.manifest_path(), &bytes)
}
/// Encrypt + write an item under its collection directory, creating the
/// directory if needed. Returns the repo-relative path for git staging.
pub fn save_item(&self, collection_slug: &str, item: &Item) -> Result<String> {
let path = self.item_path(collection_slug, &item.id);
if let Some(parent) = path.parent() {
fs::create_dir_all(parent)
.with_context(|| format!("create {}", parent.display()))?;
}
let bytes = encrypt_item(item, &self.org_key)?;
atomic_write(&path, &bytes)?;
Ok(format!("items/{}/{}.enc", collection_slug, item.id.as_str()))
}
/// Read + decrypt an item from its collection directory.
pub fn load_item(&self, collection_slug: &str, id: &ItemId) -> Result<Item> {
let path = self.item_path(collection_slug, id);
let bytes = fs::read(&path)
.with_context(|| format!("read item {}", path.display()))?;
Ok(decrypt_item(&bytes, &self.org_key)?)
}
/// Delete an item blob. Missing file is not an error (partial-write
/// recovery, same as the personal-vault purge path).
pub fn remove_item(&self, collection_slug: &str, id: &ItemId) -> Result<()> {
let path = self.item_path(collection_slug, id);
match fs::remove_file(&path) {
Ok(()) => Ok(()),
Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(()),
Err(e) => Err(anyhow::Error::from(e)
.context(format!("delete {}", path.display()))),
}
}
/// Bail unless `member` has `slug` in their collection grants. The slug
/// existence check is done separately by the caller against collections.json.
pub fn ensure_grant(member: &OrgMember, slug: &str) -> Result<()> {
if member.collections.iter().any(|c| c == slug) {
Ok(())
} else {
bail!(
"access denied: you do not have a grant for collection `{slug}` — ask an admin to run `relicario org grant`"
)
}
}
/// Load members.json and find the caller's member entry by matching the
/// current device's ed25519 fingerprint against each member's pubkey
/// fingerprint. Fingerprint comparison (not raw OpenSSH-string equality)
/// tolerates comment/whitespace differences in the serialized key.
pub fn current_member(&self) -> Result<relicario_core::OrgMember> {
let device_fp = current_device_fingerprint()?;
let members = self.load_members()?;
members
.members
.into_iter()
.find(|m| {
relicario_core::fingerprint(&m.ed25519_pubkey)
.ok()
.as_deref()
== Some(device_fp.as_str())
})
.ok_or_else(|| {
anyhow::anyhow!(
"your device key is not registered in this org — ask an admin to run `org add-member`"
)
})
}
}
/// Locate the org vault root from RELICARIO_ORG_DIR env var or --dir flag value.
pub fn org_dir(dir_flag: Option<&std::path::Path>) -> Result<PathBuf> {
if let Some(d) = dir_flag {
return Ok(d.to_path_buf());
}
if let Ok(v) = std::env::var("RELICARIO_ORG_DIR") {
return Ok(PathBuf::from(v));
}
bail!("org vault location required: set RELICARIO_ORG_DIR or pass --dir <path>")
}
/// Open an org vault: locate the root, read members.json to find the caller's
/// member entry (by ed25519 fingerprint), then unwrap their keys/<id>.enc to
/// recover the org master key.
pub fn open_org_vault(dir_flag: Option<&std::path::Path>) -> Result<UnlockedOrgVault> {
let root = org_dir(dir_flag)?;
let device_fp = current_device_fingerprint()?;
let members_json = fs::read_to_string(root.join("members.json"))
.context("read members.json — is this an org vault?")?;
let members: OrgMembers = serde_json::from_str(&members_json).context("parse members.json")?;
let member = members
.members
.iter()
.find(|m| {
relicario_core::fingerprint(&m.ed25519_pubkey)
.ok()
.as_deref()
== Some(device_fp.as_str())
})
.ok_or_else(|| anyhow::anyhow!("your device key is not in this org"))?;
// Load this member's wrapped key blob.
let key_path = root
.join("keys")
.join(format!("{}.enc", member.member_id.as_str()));
let wrapped =
fs::read(&key_path).with_context(|| format!("read {}", key_path.display()))?;
// Recover the device ed25519 seed and unwrap.
let seed = current_device_seed()?;
let org_key = relicario_core::unwrap_org_key(&wrapped, &seed)?;
Ok(UnlockedOrgVault { root, org_key })
}
/// OpenSSH SHA-256 fingerprint of the active device's signing key.
fn current_device_fingerprint() -> Result<String> {
let name = crate::device::current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
let pub_path = crate::device::device_dir(&name)?.join("signing.pub");
let pubkey = fs::read_to_string(&pub_path)
.with_context(|| format!("read {}", pub_path.display()))?;
Ok(relicario_core::fingerprint(pubkey.trim())?)
}
/// Recover the active device's ed25519 seed (the 32-byte private scalar source)
/// from its OpenSSH `signing.key`, for ECIES unwrap.
fn current_device_seed() -> Result<Zeroizing<[u8; 32]>> {
let name = crate::device::current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
let key_pem = crate::device::load_signing_key(&name)?;
let private = ssh_key::PrivateKey::from_openssh(key_pem.as_str())
.map_err(|e| anyhow::anyhow!("parse device signing key: {e}"))?;
let ed = private
.key_data()
.ed25519()
.ok_or_else(|| anyhow::anyhow!("device signing key is not ed25519"))?;
// Ed25519PrivateKey derefs to its 32-byte seed.
let seed_bytes: &[u8] = ed.private.as_ref();
if seed_bytes.len() != 32 {
anyhow::bail!("ed25519 seed has wrong length: {}", seed_bytes.len());
}
let mut seed = Zeroizing::new([0u8; 32]);
seed.copy_from_slice(seed_bytes);
Ok(seed)
}
pub(crate) fn atomic_write(path: &Path, data: &[u8]) -> Result<()> {
let mut tmp = path.as_os_str().to_owned();
tmp.push(".tmp");
let tmp = PathBuf::from(tmp);
fs::write(&tmp, data).with_context(|| format!("write {}", tmp.display()))?;
fs::rename(&tmp, path).with_context(|| format!("rename {}", tmp.display()))?;
Ok(())
}
/// Run `git <args>` in the org repo, capturing output and replaying it on
/// failure. Unlike `crate::helpers::git_run`, this does NOT inject
/// `commit.gpgsign=false` / `core.hooksPath=/dev/null`: org commits MUST be
/// signed (the pre-receive hook verifies every commit's signature), and the
/// repo's signing config is established by `configure_git_signing` during
/// `org init`.
pub(crate) fn org_git_run(root: &Path, args: &[&str], context: &str) -> Result<()> {
let output = std::process::Command::new("git")
.current_dir(root)
.args(args)
.output()
.with_context(|| format!("{context}: failed to spawn git"))?;
if !output.status.success() {
if !output.stdout.is_empty() {
eprint!("{}", String::from_utf8_lossy(&output.stdout));
}
if !output.stderr.is_empty() {
eprint!("{}", String::from_utf8_lossy(&output.stderr));
}
anyhow::bail!("{context}: git failed ({})", output.status);
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
use tempfile::TempDir;
use std::fs;
fn make_vault(key: Zeroizing<[u8; 32]>) -> (TempDir, UnlockedOrgVault) {
let dir = TempDir::new().unwrap();
let root = dir.path().to_path_buf();
fs::create_dir_all(root.join("items")).unwrap();
fs::create_dir_all(root.join("keys")).unwrap();
let vault = UnlockedOrgVault { root, org_key: key };
(dir, vault)
}
#[test]
fn unlocked_org_vault_paths() {
let key = Zeroizing::new([0u8; 32]);
let (dir, vault) = make_vault(key);
let root = dir.path().to_path_buf();
assert_eq!(vault.manifest_path(), root.join("manifest.enc"));
assert_eq!(
vault.member_key_path(&MemberId("abc0def1abc0def1".into())),
root.join("keys/abc0def1abc0def1.enc")
);
assert_eq!(
vault.item_path("prod", &relicario_core::ItemId("0123456789abcdef".into())),
root.join("items/prod/0123456789abcdef.enc")
);
}
#[test]
fn save_and_load_manifest() {
let key = Zeroizing::new([0xAAu8; 32]);
let (dir, vault) = make_vault(key);
let _ = dir; // keep alive
let mut m = OrgManifest::new();
m.entries.push(relicario_core::OrgManifestEntry {
id: relicario_core::ItemId::new(),
r#type: relicario_core::ItemType::SecureNote,
title: "test".into(),
tags: vec![],
modified: 0,
trashed_at: None,
collection: "prod".into(),
});
vault.save_manifest(&m).unwrap();
let loaded = vault.load_manifest().unwrap();
assert_eq!(loaded.entries.len(), 1);
}
#[test]
fn save_and_load_members() {
let key = Zeroizing::new([0u8; 32]);
let (dir, vault) = make_vault(key);
let _ = dir;
let members = OrgMembers::new();
vault.save_members(&members).unwrap();
let loaded = vault.load_members().unwrap();
assert_eq!(loaded.schema_version, 1);
}
}

24
crates/relicario-cli/tests/org_init.rs Normal file
View File

@@ -0,0 +1,24 @@
use tempfile::TempDir;
fn run(args: &[&str]) -> std::process::Output {
std::process::Command::new(env!("CARGO_BIN_EXE_relicario"))
.args(args)
.output()
.expect("run relicario")
}
#[test]
#[ignore] // requires a device key on disk; run manually or via org_init_signing
fn org_init_creates_expected_files() {
let dir = TempDir::new().unwrap();
let path = dir.path().to_str().unwrap();
// `--dir` is a subcommand-scoped global on `org` (B14), so it must come
// AFTER `org init`, not before it (matches B10's OrgFixture).
let out = run(&["org", "init", "--dir", path, "--name", "Test Org"]);
assert!(out.status.success(), "stderr: {}", String::from_utf8_lossy(&out.stderr));
assert!(dir.path().join("org.json").exists());
assert!(dir.path().join("members.json").exists());
assert!(dir.path().join("collections.json").exists());
assert!(dir.path().join("manifest.enc").exists());
assert!(dir.path().join(".git").exists());
}

145
crates/relicario-cli/tests/org_init_signing.rs Normal file
View File

@@ -0,0 +1,145 @@
use std::fs;
use std::path::Path;
use std::process::Command;
use tempfile::TempDir;
fn relicario(config_home: &Path, args: &[&str]) -> std::process::Output {
Command::new(env!("CARGO_BIN_EXE_relicario"))
.env("XDG_CONFIG_HOME", config_home)
.env("HOME", config_home) // belt-and-suspenders for dirs on all platforms
.args(args)
.output()
.expect("run relicario")
}
/// Like relicario() but also injects the git committer identity so that
/// `git commit` inside `org init` doesn't fail with "Please tell me who you are."
fn relicario_with_git_identity(config_home: &Path, args: &[&str]) -> std::process::Output {
Command::new(env!("CARGO_BIN_EXE_relicario"))
.env("XDG_CONFIG_HOME", config_home)
.env("HOME", config_home)
.env("GIT_AUTHOR_NAME", "Test Device")
.env("GIT_AUTHOR_EMAIL", "test@relicario.test")
.env("GIT_COMMITTER_NAME", "Test Device")
.env("GIT_COMMITTER_EMAIL", "test@relicario.test")
.args(args)
.output()
.expect("run relicario")
}
fn git(repo: &Path, args: &[&str]) -> std::process::Output {
Command::new("git")
.current_dir(repo)
.args(args)
.output()
.expect("run git")
}
/// Lay out device keys directly under `<config_home>/relicario/devices/<name>/`
/// and set `devices/current` — mirrors the B2 seed_helper_tests approach.
/// Returns the OpenSSH public key string so the caller can build an allowed_signers
/// file for `git verify-commit`.
fn seed_device(config_home: &Path, name: &str) -> String {
let (priv_openssh, pub_openssh) =
relicario_core::device::generate_keypair().expect("generate_keypair");
let dev_dir = config_home
.join("relicario")
.join("devices")
.join(name);
fs::create_dir_all(&dev_dir).expect("create device dir");
let signing_key_path = dev_dir.join("signing.key");
fs::write(&signing_key_path, priv_openssh.as_str())
.expect("write signing.key");
// ssh requires 0600 on private key files or it refuses to use them.
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
fs::set_permissions(&signing_key_path, fs::Permissions::from_mode(0o600))
.expect("chmod signing.key");
}
fs::write(dev_dir.join("signing.pub"), &pub_openssh)
.expect("write signing.pub");
// Also write stub deploy key files so configure_git_signing doesn't trip on
// a missing deploy.key path (the git config value just points to the file;
// the file itself is never read during org init).
fs::write(dev_dir.join("deploy.key"), "").expect("write stub deploy.key");
fs::write(dev_dir.join("deploy.pub"), "").expect("write stub deploy.pub");
// Set this device as current.
let devices_dir = config_home.join("relicario").join("devices");
fs::write(devices_dir.join("current"), format!("{name}\n"))
.expect("write current");
pub_openssh
}
#[test]
fn org_init_produces_a_signed_initial_commit() {
let cfg = TempDir::new().unwrap();
let org = TempDir::new().unwrap();
// Lay out the device key directly (no `device add` needed — it requires Gitea).
let pub_openssh = seed_device(cfg.path(), "test-dev");
// Initialize the org vault. `--dir` comes AFTER `org init` (B14 global).
// Inject git identity so the commit doesn't fail "Please tell me who you are."
let init = relicario_with_git_identity(
cfg.path(),
&["org", "init", "--dir", org.path().to_str().unwrap(), "--name", "Acme"],
);
assert!(
init.status.success(),
"org init failed:\nstdout: {}\nstderr: {}",
String::from_utf8_lossy(&init.stdout),
String::from_utf8_lossy(&init.stderr)
);
// The org repo must be configured to sign.
let cfg_out = git(org.path(), &["config", "commit.gpgsign"]);
assert_eq!(
String::from_utf8_lossy(&cfg_out.stdout).trim(),
"true",
"org repo must have commit.gpgsign=true"
);
// The HEAD commit object must carry a signature header.
let head = git(org.path(), &["cat-file", "commit", "HEAD"]);
let body = String::from_utf8_lossy(&head.stdout);
assert!(
body.contains("gpgsig "),
"HEAD commit must be signed (no gpgsig header found):\n{body}"
);
// Configure an allowed_signers file so `git verify-commit` can validate the
// SSH signature. The principal must match the committer email injected above.
let allowed_signers_path = cfg.path().join("allowed_signers");
let allowed_line = format!("test@relicario.test {}", pub_openssh.trim());
fs::write(&allowed_signers_path, format!("{allowed_line}\n"))
.expect("write allowed_signers");
git(
org.path(),
&[
"config",
"gpg.ssh.allowedSignersFile",
allowed_signers_path.to_str().unwrap(),
],
);
// Now verify-commit should succeed.
let verify = git(org.path(), &["verify-commit", "HEAD"]);
assert!(
verify.status.success(),
"git verify-commit HEAD failed:\nstdout: {}\nstderr: {}",
String::from_utf8_lossy(&verify.stdout),
String::from_utf8_lossy(&verify.stderr)
);
// The commit body must carry the org-init action trailer.
let log_out = git(org.path(), &["log", "-1", "--format=%B"]);
let commit_body = String::from_utf8_lossy(&log_out.stdout);
assert!(
commit_body.contains("Relicario-Action: org-init"),
"HEAD commit body must contain 'Relicario-Action: org-init' trailer:\n{commit_body}"
);
}

8
crates/relicario-server/Cargo.toml
View File

@@ -5,6 +5,14 @@ edition = "2021"
description = "Pre-receive Git hook for relicario password manager" description = "Pre-receive Git hook for relicario password manager"
license = "GPL-3.0-or-later" license = "GPL-3.0-or-later"
[lib]
name = "relicario_server"
path = "src/lib.rs"
[[bin]]
name = "relicario-server"
path = "src/main.rs"
[dependencies] [dependencies]
relicario-core = { path = "../relicario-core" } relicario-core = { path = "../relicario-core" }
anyhow = "1" anyhow = "1"

58
crates/relicario-server/src/lib.rs Normal file
View File

@@ -0,0 +1,58 @@
//! Library surface for relicario-server, exposing pure helpers used by the
//! pre-receive hooks so they can be unit-tested.
/// Classification of a single changed path inside an org repo.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum PathClass {
/// `members.json`, `collections.json`, `org.json` — only Owner/Admin may write.
Protected,
/// `items/<slug>/<id>.enc` — writer must hold a grant for `<slug>`.
Item { collection: String },
/// `keys/<id>.enc`, `manifest.enc`, `.gitignore`, etc. — gated only by the
/// per-commit signature check (signer must be a current member).
Unrestricted,
/// Structurally invalid path; commit must be rejected.
Rejected(String),
}
/// Classify a repo-relative path. Pure; no I/O.
pub fn classify_path(path: &str) -> PathClass {
match path {
"members.json" | "collections.json" | "org.json" => return PathClass::Protected,
_ => {}
}
if let Some(rest) = path.strip_prefix("items/") {
// Expect exactly: <slug>/<id>.enc → two segments after the prefix.
let segments: Vec<&str> = rest.split('/').collect();
if segments.len() != 2 {
return PathClass::Rejected("items path must be items/<slug>/<id>.enc".to_string());
}
let slug = segments[0];
if slug.is_empty() {
return PathClass::Rejected("empty collection slug in items path".to_string());
}
// Defense-in-depth: mirror `OrgCollections::validate` — a slug containing
// '.' (e.g. a `..`/`.` path-traversal attempt) is structurally invalid.
// git normalizes most `./` away before the hook sees the path, so this is
// unreachable today; it keeps the hook self-defensive regardless.
if slug.contains('.') {
return PathClass::Rejected(format!("invalid collection slug: {:?}", slug));
}
return PathClass::Item { collection: slug.to_string() };
}
PathClass::Unrestricted
}
/// Extract the `schema_version` field from any org JSON document.
/// Returns an error if the field is absent or not a u32.
pub fn extract_schema_version(json: &str) -> Result<u32, String> {
let value: serde_json::Value =
serde_json::from_str(json).map_err(|e| format!("parse json: {e}"))?;
value
.get("schema_version")
.and_then(|v| v.as_u64())
.map(|n| n as u32)
.ok_or_else(|| "missing or non-integer schema_version".to_string())
}

416
crates/relicario-server/src/main.rs
View File

@@ -6,6 +6,8 @@ use std::process::Command;
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use clap::{Parser, Subcommand}; use clap::{Parser, Subcommand};
use relicario_core::device::{DeviceEntry, RevokedEntry}; use relicario_core::device::{DeviceEntry, RevokedEntry};
use relicario_core::org::{OrgCollections, OrgMember, OrgMembers, OrgRole};
use relicario_server::{classify_path, extract_schema_version, PathClass};
#[derive(Parser)] #[derive(Parser)]
#[command(name = "relicario-server")] #[command(name = "relicario-server")]
@@ -23,6 +25,13 @@ enum Commands {
}, },
/// Generate a pre-receive hook script. /// Generate a pre-receive hook script.
GenerateHook, GenerateHook,
/// Verify a commit to an org vault: signature + role/path authorization.
VerifyOrgCommit {
/// The commit SHA to verify.
commit: String,
},
/// Generate an org pre-receive hook script.
GenerateOrgHook,
} }
fn main() -> Result<()> { fn main() -> Result<()> {
@@ -31,6 +40,8 @@ fn main() -> Result<()> {
match cli.command { match cli.command {
Commands::VerifyCommit { commit } => verify_commit(&commit), Commands::VerifyCommit { commit } => verify_commit(&commit),
Commands::GenerateHook => generate_hook(), Commands::GenerateHook => generate_hook(),
Commands::VerifyOrgCommit { commit } => verify_org_commit(&commit),
Commands::GenerateOrgHook => generate_org_hook(),
} }
} }
@@ -187,3 +198,408 @@ fn git_show(commit: &str, path: &str) -> Result<String> {
Ok(String::from_utf8(output.stdout)?) Ok(String::from_utf8(output.stdout)?)
} }
/// Verify the SSH signature on `commit` against the given org members and return
/// the matching member. On any failure (unsigned, malformed, or unknown signer)
/// this prints REJECT and calls `std::process::exit(1)`; it only returns on success.
fn verify_org_signer(commit: &str, members: &OrgMembers) -> OrgMember {
// Build a temp allowed-signers file from every current member's pubkey.
let tmp = match tempfile::tempdir() {
Ok(t) => t,
Err(e) => {
eprintln!("REJECT: org commit {commit} — cannot create tempdir: {e}");
std::process::exit(1);
}
};
let allowed_path = tmp.path().join("allowed_signers");
let mut allowed_body = String::new();
for m in &members.members {
allowed_body.push_str("relicario ");
allowed_body.push_str(m.ed25519_pubkey.trim());
allowed_body.push('\n');
}
if let Err(e) = fs::write(&allowed_path, &allowed_body) {
eprintln!("REJECT: org commit {commit} — cannot write allowed_signers: {e}");
std::process::exit(1);
}
// Run git verify-commit --raw with the allowed-signers file injected.
let output = match Command::new("git")
.args(["verify-commit", "--raw", commit])
.env("GIT_CONFIG_COUNT", "1")
.env("GIT_CONFIG_KEY_0", "gpg.ssh.allowedSignersFile")
.env("GIT_CONFIG_VALUE_0", allowed_path.as_os_str())
.output()
{
Ok(o) => o,
Err(e) => {
eprintln!("REJECT: org commit {commit} — git verify-commit failed to run: {e}");
std::process::exit(1);
}
};
let stderr = String::from_utf8_lossy(&output.stderr);
// The org hook builds allowed_signers from EVERY current member, so a clean
// `git verify-commit` exit IS the security gate: a non-zero exit means the
// commit was unsigned, tampered, or signed by a non-member. Make that
// property explicit rather than relying on the stderr regex alone (regex
// output is fragile across git versions). The fingerprint parse + member
// mapping below then identifies WHICH member signed.
if !output.status.success() {
eprintln!(
"REJECT: org commit {commit} — signature did not verify against current members \
(git verify-commit exit {}): {}",
output.status.code().unwrap_or(-1),
stderr.trim()
);
std::process::exit(1);
}
// Parse the SHA-256 fingerprint from stderr (same regex as verify_commit).
let re = regex::Regex::new(r"key (SHA256:[A-Za-z0-9+/]+)").expect("static regex");
let signing_fp = match re.captures(&stderr).and_then(|c| c.get(1)) {
Some(m) => m.as_str().to_string(),
None => {
eprintln!(
"REJECT: org commit {commit} — no valid signature found (stderr: {})",
stderr.trim()
);
std::process::exit(1);
}
};
// Map fingerprint → member via relicario_core::fingerprint over each pubkey.
for m in &members.members {
if let Ok(fp) = relicario_core::fingerprint(&m.ed25519_pubkey) {
if fp == signing_fp {
return m.clone();
}
}
}
eprintln!(
"REJECT: org commit {commit} — signer (fingerprint {signing_fp}) is not a current org member"
);
std::process::exit(1);
}
fn verify_org_commit(commit: &str) -> Result<()> {
// Determine parent count from %P (space-separated parent SHAs; empty = root).
let parents_out = Command::new("git")
.args(["show", "-s", "--format=%P", commit])
.output()
.context("git show parents")?;
let parents_line = String::from_utf8_lossy(&parents_out.stdout);
let parents: Vec<&str> = parents_line.split_whitespace().collect();
// Merge commits are rejected. Org repos are linear (CLI uses pull --rebase).
if parents.len() > 1 {
eprintln!(
"REJECT: org commit {commit} — merge commits are not allowed in org vaults \
({} parents); rebase instead",
parents.len()
);
std::process::exit(1);
}
let is_root = parents.is_empty();
// Load members.json AS OF THIS COMMIT so the genesis commit can authorize itself.
let members_json = match git_show(commit, "members.json") {
Ok(s) => s,
Err(_) => {
if is_root {
eprintln!("OK: org commit {commit} (root bootstrap - no members.json yet)");
return Ok(());
}
eprintln!("REJECT: org commit {commit} — members.json missing from non-root commit");
std::process::exit(1);
}
};
let members: OrgMembers =
serde_json::from_str(&members_json).context("parse members.json")?;
if members.members.is_empty() {
if is_root {
eprintln!("OK: org commit {commit} (root bootstrap - empty member list)");
return Ok(());
}
eprintln!("REJECT: org commit {commit} — members.json has no members");
std::process::exit(1);
}
members
.validate()
.map_err(|e| anyhow::anyhow!("members.json invalid: {e}"))?;
// Verify the signature and resolve the signing member (exits on failure).
let signer = verify_org_signer(commit, &members);
// Enumerate changed paths. Root has no parent to diff, so use ls-tree.
let changed_paths: Vec<String> = if is_root {
let out = Command::new("git")
.args(["ls-tree", "-r", "--name-only", commit])
.output()
.context("git ls-tree")?;
String::from_utf8_lossy(&out.stdout)
.lines()
.map(|l| l.trim().to_string())
.filter(|l| !l.is_empty())
.collect()
} else {
let out = Command::new("git")
.args(["diff-tree", "--no-commit-id", "-r", "--name-only", commit])
.output()
.context("git diff-tree")?;
String::from_utf8_lossy(&out.stdout)
.lines()
.map(|l| l.trim().to_string())
.filter(|l| !l.is_empty())
.collect()
};
// Authorize each changed path against the signing member's role/grants.
// collections.json (as of this commit) is loaded lazily on the first item
// path, for the L5 slug-existence check.
let mut collection_slugs: Option<Vec<String>> = None;
for path in &changed_paths {
match classify_path(path) {
PathClass::Rejected(why) => {
eprintln!("REJECT: org commit {commit} — invalid path `{path}`: {why}");
std::process::exit(1);
}
PathClass::Protected => {
if !signer.role.can_manage_members() {
eprintln!(
"REJECT: org commit {commit} — member '{}' (role {:?}) may not write protected file `{path}`",
signer.display_name, signer.role
);
std::process::exit(1);
}
// Privilege-escalation gate: only an Owner may INTRODUCE or
// ELEVATE an owner/admin. An Admin may write members.json but
// must not mint owners/admins server-side (spec §148/158/271).
if path == "members.json" {
enforce_owner_only_elevation(commit, is_root, &members, &signer);
}
}
PathClass::Item { collection } => {
// The signing member must hold an explicit grant for the slug.
if !signer.collections.iter().any(|c| c == &collection) {
eprintln!(
"REJECT: org commit {commit} — member '{}' lacks a grant for collection `{collection}` (path `{path}`)",
signer.display_name
);
std::process::exit(1);
}
// Slug-existence (L5): the collection must exist in
// collections.json AS OF THIS COMMIT. A write into a
// granted-but-deleted (or never-created) collection is rejected.
let known = collection_slugs.get_or_insert_with(|| {
git_show(commit, "collections.json")
.ok()
.and_then(|s| serde_json::from_str::<OrgCollections>(&s).ok())
.map(|c| c.collections.into_iter().map(|d| d.slug).collect::<Vec<_>>())
.unwrap_or_default()
});
if !known.iter().any(|s| s == &collection) {
eprintln!(
"REJECT: org commit {commit} — item write to collection `{collection}` whose slug is absent from collections.json (path `{path}`)"
);
std::process::exit(1);
}
}
PathClass::Unrestricted => {
// keys/<id>.enc, manifest.enc, etc. — signature check already passed.
}
}
}
// Schema-version monotonicity for the three JSON files (Task C2).
enforce_schema_monotonicity(commit, is_root, &changed_paths)?;
eprintln!(
"OK: org commit {commit} verified — signed by '{}' ({:?}), {} path(s) authorized",
signer.display_name,
signer.role,
changed_paths.len()
);
Ok(())
}
/// Reject the commit unless every newly-introduced or elevated owner/admin is
/// authorized. The signer's AUTHORITY is their role in the PARENT state — the role
/// they held BEFORE this commit — NOT the role this commit may grant them. Reading
/// `signer.role` (which is parsed from the post-change members.json) would let an
/// admin self-promote to owner and then pass this very gate with the owner role
/// they are minting — the exact escalation H-C1 exists to stop. We diff the new
/// members.json against the parent's by member_id and require an owner-authority
/// signer for any member that BECOMES owner/admin (new entry, or a role elevated
/// up to owner/admin). On genesis (root) the sole bootstrap owner is allowed.
///
/// `git_show_parent` is defined alongside `enforce_schema_monotonicity` below.
fn enforce_owner_only_elevation(
commit: &str,
is_root: bool,
new_members: &OrgMembers,
signer: &OrgMember,
) {
let is_privileged = |r: OrgRole| matches!(r, OrgRole::Owner | OrgRole::Admin);
// Genesis: the bootstrap commit introduces the sole owner; allow it.
if is_root {
return;
}
// Parent baseline. If members.json did not exist in the parent, every
// privileged member here is "new" and must be owner-signed.
let parent_members: Vec<(String, OrgRole)> = match git_show_parent(commit, "members.json") {
Ok(s) => serde_json::from_str::<OrgMembers>(&s)
.map(|m| {
m.members
.into_iter()
.map(|m| (m.member_id.0, m.role))
.collect()
})
.unwrap_or_default(),
Err(_) => Vec::new(),
};
let parent_role = |id: &str| -> Option<OrgRole> {
parent_members.iter().find(|(mid, _)| mid == id).map(|(_, r)| *r)
};
// The signer's authority = their PARENT role. A member absent from the parent
// (brand new) has no prior authority and cannot mint owners/admins.
let signer_parent = parent_role(signer.member_id.as_str());
let signer_may_manage_owners = signer_parent.map_or(false, |r| r.can_manage_owners());
for m in &new_members.members {
if !is_privileged(m.role) {
continue;
}
// Skip ONLY if the role is unchanged from the parent (a no-op same-role
// entry). Any CHANGE into a privileged role — a new privileged member,
// Member→Admin/Owner, or Admin→Owner — must be owner-signed.
if parent_role(m.member_id.as_str()) == Some(m.role) {
continue;
}
// A new owner/admin, or a member elevated to owner/admin → owner-only,
// judged by the signer's PRE-commit authority.
if !signer_may_manage_owners {
eprintln!(
"REJECT: org commit {commit} — member '{}' (parent role {:?}) may not introduce or \
elevate owner/admin '{}' to {:?}; only an owner may",
signer.display_name, signer_parent, m.display_name, m.role
);
std::process::exit(1);
}
}
}
fn generate_org_hook() -> Result<()> {
print!(
r#"#!/bin/bash
# Relicario org pre-receive hook -- verify signatures + role/path authorization
while read oldrev newrev refname; do
[ "$newrev" = "0000000000000000000000000000000000000000" ] && continue
if [ "$oldrev" = "0000000000000000000000000000000000000000" ]; then
commits=$(git rev-list "$newrev")
else
commits=$(git rev-list "$oldrev..$newrev")
fi
for commit in $commits; do
relicario-server verify-org-commit "$commit" || exit 1
done
done
"#
);
Ok(())
}
/// For each protected JSON file changed in this commit, ensure schema_version did
/// not decrease vs the parent commit, and re-validate collections.json structure.
fn enforce_schema_monotonicity(
commit: &str,
is_root: bool,
changed_paths: &[String],
) -> Result<()> {
const VERSIONED: [&str; 3] = ["members.json", "collections.json", "org.json"];
for file in VERSIONED {
if !changed_paths.iter().any(|p| p == file) {
continue;
}
// A deletion of a protected file is not allowed.
let new_content = match git_show(commit, file) {
Ok(s) => s,
Err(_) => {
eprintln!(
"REJECT: org commit {commit} — protected file `{file}` was deleted; \
org vaults never delete {file}"
);
std::process::exit(1);
}
};
let new_version = match extract_schema_version(&new_content) {
Ok(v) => v,
Err(e) => {
eprintln!("REJECT: org commit {commit} — `{file}` invalid: {e}");
std::process::exit(1);
}
};
// collections.json structural validation.
if file == "collections.json" {
match serde_json::from_str::<relicario_core::org::OrgCollections>(&new_content) {
Ok(c) => {
if let Err(e) = c.validate() {
eprintln!("REJECT: org commit {commit} — collections.json invalid: {e}");
std::process::exit(1);
}
}
Err(e) => {
eprintln!("REJECT: org commit {commit} — collections.json parse error: {e}");
std::process::exit(1);
}
}
}
// On the root commit there is no parent baseline; any starting version is fine.
if is_root {
continue;
}
// Parent version: if the file did not exist in the parent (newly added),
// there is no prior version to regress against — accept.
if let Ok(old_content) = git_show_parent(commit, file) {
let old_version = match extract_schema_version(&old_content) {
Ok(v) => v,
Err(_) => {
continue;
}
};
if new_version < old_version {
eprintln!(
"REJECT: org commit {commit} — `{file}` schema_version decreased \
({old_version} -> {new_version})"
);
std::process::exit(1);
}
}
}
Ok(())
}
/// Read a file from a commit's FIRST PARENT tree: `git show {commit}^:{path}`.
fn git_show_parent(commit: &str, path: &str) -> Result<String> {
let output = Command::new("git")
.args(["show", &format!("{}^:{}", commit, path)])
.output()
.context("git show parent")?;
if !output.status.success() {
anyhow::bail!("git show {}^:{} failed", commit, path);
}
Ok(String::from_utf8(output.stdout)?)
}

81
crates/relicario-server/tests/org_hook.rs Normal file
View File

@@ -0,0 +1,81 @@
// Integration tests for relicario-server org-hook path classification.
use relicario_server::{classify_path, PathClass};
#[test]
fn protected_files_are_classified_protected() {
assert_eq!(classify_path("members.json"), PathClass::Protected);
assert_eq!(classify_path("collections.json"), PathClass::Protected);
assert_eq!(classify_path("org.json"), PathClass::Protected);
}
#[test]
fn item_write_yields_collection_slug() {
assert_eq!(
classify_path("items/prod/a1b2c3d4e5f6a1b2.enc"),
PathClass::Item { collection: "prod".to_string() }
);
}
#[test]
fn item_write_nested_slug_is_rejected() {
// Slugs cannot contain '/', so a path with extra segments is malformed → Rejected.
assert_eq!(
classify_path("items/prod/sub/x.enc"),
PathClass::Rejected("items path must be items/<slug>/<id>.enc".to_string())
);
}
#[test]
fn key_blobs_and_manifest_are_unrestricted() {
// keys/<id>.enc and manifest.enc are written by org operations; the SIGNATURE
// check (every commit must be signed by a current member) is the gate for them.
assert_eq!(classify_path("keys/a1b2c3d4e5f6a1b2.enc"), PathClass::Unrestricted);
assert_eq!(classify_path("manifest.enc"), PathClass::Unrestricted);
}
#[test]
fn items_without_slug_segment_are_rejected() {
// Flat items/<id>.enc (the OLD, now-removed layout) is no longer valid.
assert_eq!(
classify_path("items/a1b2c3d4e5f6a1b2.enc"),
PathClass::Rejected("items path must be items/<slug>/<id>.enc".to_string())
);
}
#[test]
fn empty_slug_segment_is_rejected() {
assert_eq!(
classify_path("items//x.enc"),
PathClass::Rejected("empty collection slug in items path".to_string())
);
}
#[test]
fn dotted_slug_is_rejected() {
// Defense-in-depth (mirrors OrgCollections::validate): a slug containing '.'
// — e.g. a ".."/"." path-traversal attempt — is rejected.
assert_eq!(
classify_path("items/../x.enc"),
PathClass::Rejected("invalid collection slug: \"..\"".to_string())
);
}
use relicario_server::extract_schema_version;
#[test]
fn extract_schema_version_reads_field() {
let json = r#"{ "schema_version": 3, "members": [] }"#;
assert_eq!(extract_schema_version(json).unwrap(), 3);
}
#[test]
fn extract_schema_version_errors_on_missing_field() {
let json = r#"{ "members": [] }"#;
assert!(extract_schema_version(json).is_err());
}
#[test]
fn extract_schema_version_errors_on_garbage() {
assert!(extract_schema_version("not json").is_err());
}

229
crates/relicario-server/tests/org_hook_signed.rs Normal file
View File

@@ -0,0 +1,229 @@
//! Integration tests for `relicario-server verify-org-commit` privilege gating.
//!
//! H-C1: only an Owner may introduce or elevate an owner/admin. An Admin who
//! writes members.json must not be able to mint owners/admins.
use std::fs;
use std::path::{Path, PathBuf};
use std::process::Command;
use assert_cmd::Command as AssertCommand;
use predicates::prelude::*;
use relicario_core::device::generate_keypair;
use tempfile::TempDir;
fn write_keypair(dir: &Path, name: &str) -> (PathBuf, String) {
let (priv_pem, pub_line) = generate_keypair().expect("generate keypair");
let priv_path = dir.join(format!("{name}.key"));
fs::write(&priv_path, priv_pem.as_str()).unwrap();
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
fs::set_permissions(&priv_path, fs::Permissions::from_mode(0o600)).unwrap();
}
(priv_path, pub_line)
}
fn git(repo: &Path, args: &[&str]) {
let status = Command::new("git").current_dir(repo).args(args).status().unwrap();
assert!(status.success(), "git {args:?} failed");
}
/// members.json content with two members; `member_id`s are fixed 16-hex.
fn members_json(owner_pub: &str, admin_pub: &str, admin_role: &str) -> String {
format!(
r#"{{
"schema_version": 1,
"members": [
{{ "member_id": "1111111111111111", "display_name": "Owner", "role": "owner",
"ed25519_pubkey": "{}", "collections": [], "added_at": 0, "added_by": "1111111111111111" }},
{{ "member_id": "2222222222222222", "display_name": "Admin", "role": "{admin_role}",
"ed25519_pubkey": "{}", "collections": [], "added_at": 0, "added_by": "1111111111111111" }}
]
}}"#,
owner_pub.trim(),
admin_pub.trim()
)
}
/// Stage members.json, sign the commit with `signing_key`, return its SHA.
fn signed_members_commit(
repo: &Path,
signing_key: &Path,
allowed: &Path,
msg: &str,
content: &str,
) -> String {
fs::write(repo.join("members.json"), content).unwrap();
git(repo, &["add", "members.json"]);
let status = Command::new("git")
.current_dir(repo)
.args([
"-c", "gpg.format=ssh",
"-c", &format!("user.signingkey={}", signing_key.display()),
"-c", &format!("gpg.ssh.allowedSignersFile={}", allowed.display()),
"commit", "-S", "-q", "-m", msg,
])
.status()
.unwrap();
assert!(status.success());
let out = Command::new("git").current_dir(repo).args(["rev-parse", "HEAD"]).output().unwrap();
String::from_utf8(out.stdout).unwrap().trim().to_string()
}
/// Set up an org repo whose root commit (signed by the owner) registers an
/// owner + an admin. Returns (repo tmp, owner priv, admin priv, allowed file).
fn bootstrap() -> (TempDir, PathBuf, PathBuf, PathBuf) {
let tmp = TempDir::new().unwrap();
let repo = tmp.path();
git(repo, &["init", "-q", "-b", "main"]);
git(repo, &["config", "user.email", "t@t"]);
git(repo, &["config", "user.name", "t"]);
let (owner_priv, owner_pub) = write_keypair(repo, "owner");
let (admin_priv, admin_pub) = write_keypair(repo, "admin");
let allowed = repo.join("allowed_signers");
fs::write(
&allowed,
format!("relicario {}\nrelicario {}\n", owner_pub.trim(), admin_pub.trim()),
)
.unwrap();
// Genesis: owner registers both members (admin starts as `admin`).
let genesis = members_json(&owner_pub, &admin_pub, "admin");
signed_members_commit(repo, &owner_priv, &allowed, "org-init", &genesis);
// also write org.json + collections.json so later commits are well-formed
fs::write(repo.join("org.json"),
r#"{"schema_version":1,"org_id":"abc0abc0abc0abc0","display_name":"Acme","created_at":0}"#).unwrap();
fs::write(repo.join("collections.json"), r#"{"schema_version":1,"collections":[]}"#).unwrap();
git(repo, &["add", "org.json", "collections.json"]);
// sign this housekeeping commit with the owner too
let _ = signed_members_commit(repo, &owner_priv, &allowed, "scaffold",
&members_json(&owner_pub, &admin_pub, "admin"));
(tmp, owner_priv, admin_priv, allowed)
}
#[test]
fn admin_self_promote_to_owner_is_rejected() {
let (tmp, owner_priv, admin_priv, allowed) = bootstrap();
let repo = tmp.path();
let owner_pub = fs::read_to_string(repo.join("allowed_signers")).unwrap();
// Reconstruct pubkeys from the allowed_signers file (two "relicario <pub>" lines).
let lines: Vec<String> = owner_pub.lines()
.map(|l| l.trim_start_matches("relicario ").to_string()).collect();
let (op, ap) = (lines[0].clone(), lines[1].clone());
let _ = owner_priv;
// Admin signs a members.json that elevates THEMSELVES to owner.
let escalated = members_json(&op, &ap, "owner");
let sha = signed_members_commit(repo, &admin_priv, &allowed, "self-promote", &escalated);
AssertCommand::cargo_bin("relicario-server")
.unwrap()
.current_dir(repo)
.args(["verify-org-commit", &sha])
.assert()
.failure()
.stderr(predicate::str::contains("only an owner"));
}
#[test]
fn owner_promoting_an_admin_is_accepted() {
let (tmp, owner_priv, _admin_priv, allowed) = bootstrap();
let repo = tmp.path();
let allowed_body = fs::read_to_string(repo.join("allowed_signers")).unwrap();
let lines: Vec<String> = allowed_body.lines()
.map(|l| l.trim_start_matches("relicario ").to_string()).collect();
let (op, ap) = (lines[0].clone(), lines[1].clone());
// Owner signs a members.json that elevates the admin to owner — allowed.
let promoted = members_json(&op, &ap, "owner");
let sha = signed_members_commit(repo, &owner_priv, &allowed, "promote-admin", &promoted);
AssertCommand::cargo_bin("relicario-server")
.unwrap()
.current_dir(repo)
.args(["verify-org-commit", &sha])
.assert()
.success();
}
#[test]
fn commit_signed_by_non_member_is_rejected() {
// A commit signed by a key that is NOT in members.json must be rejected:
// verify_org_signer rebuilds allowed_signers from the current members only,
// so a non-member signature fails `git verify-commit`.
let (tmp, _owner_priv, _admin_priv, allowed) = bootstrap();
let repo = tmp.path();
// A stranger key, never registered as a member.
let (stranger_priv, _stranger_pub) = write_keypair(repo, "stranger");
// Stranger signs a commit touching an UNRESTRICTED file (members.json stays
// owner+admin, so allowed_signers excludes the stranger).
fs::write(repo.join("manifest.enc"), b"\x02ciphertext").unwrap();
git(repo, &["add", "manifest.enc"]);
let status = Command::new("git")
.current_dir(repo)
.args([
"-c", "gpg.format=ssh",
"-c", &format!("user.signingkey={}", stranger_priv.display()),
"-c", &format!("gpg.ssh.allowedSignersFile={}", allowed.display()),
"commit", "-S", "-q", "-m", "stranger-write",
])
.status()
.unwrap();
assert!(status.success());
let out = Command::new("git")
.current_dir(repo)
.args(["rev-parse", "HEAD"])
.output()
.unwrap();
let sha = String::from_utf8(out.stdout).unwrap().trim().to_string();
AssertCommand::cargo_bin("relicario-server")
.unwrap()
.current_dir(repo)
.args(["verify-org-commit", &sha])
.assert()
.failure()
.stderr(predicate::str::contains("REJECT"));
}
#[test]
fn genesis_bootstrap_with_sole_owner_is_accepted() {
// A root (parent-less) commit registering the sole owner, signed by that
// owner, is the genesis bootstrap and must be accepted.
let tmp = TempDir::new().unwrap();
let repo = tmp.path();
git(repo, &["init", "-q", "-b", "main"]);
git(repo, &["config", "user.email", "t@t"]);
git(repo, &["config", "user.name", "t"]);
let (owner_priv, owner_pub) = write_keypair(repo, "owner");
let allowed = repo.join("allowed_signers");
fs::write(&allowed, format!("relicario {}\n", owner_pub.trim())).unwrap();
let sole_owner = format!(
r#"{{
"schema_version": 1,
"members": [
{{ "member_id": "1111111111111111", "display_name": "Owner", "role": "owner",
"ed25519_pubkey": "{}", "collections": [], "added_at": 0, "added_by": "1111111111111111" }}
]
}}"#,
owner_pub.trim()
);
// First commit in a fresh repo → root (is_root == true).
let sha = signed_members_commit(repo, &owner_priv, &allowed, "org-init", &sole_owner);
AssertCommand::cargo_bin("relicario-server")
.unwrap()
.current_dir(repo)
.args(["verify-org-commit", &sha])
.assert()
.success();
}

24
docs/superpowers/plans/2026-06-06-enterprise-org-vault.md
View File

@@ -4546,6 +4546,14 @@ fn verify_org_commit(commit: &str) -> Result<()> {
/// role elevated up to Owner/Admin). On genesis (root), the sole bootstrap /// role elevated up to Owner/Admin). On genesis (root), the sole bootstrap
/// owner the commit introduces is allowed (it has no parent baseline). /// owner the commit introduces is allowed (it has no parent baseline).
/// ///
/// CRITICAL: the signer's authority is judged on their role in the PARENT
/// commit (`parent_role(signer)`), NOT the post-change `signer.role` carried in
/// the commit under verification. Reading `signer.role` would let an Admin
/// self-promote to Owner in the same commit and then self-authorize that very
/// promotion (the gate would see the already-elevated role and pass) — the
/// exact escalation this exists to stop. A signer absent from the parent
/// (`None`) has no prior authority and is rejected.
///
/// `git_show_parent` is defined in Task C2 (same file, same crate). /// `git_show_parent` is defined in Task C2 (same file, same crate).
fn enforce_owner_only_elevation( fn enforce_owner_only_elevation(
commit: &str, commit: &str,
@@ -4579,6 +4587,12 @@ fn enforce_owner_only_elevation(
parent_members.iter().find(|(mid, _)| mid == id).map(|(_, r)| *r) parent_members.iter().find(|(mid, _)| mid == id).map(|(_, r)| *r)
}; };
// The signer's authority = their PARENT role. A member absent from the parent
// (brand new) has no prior authority and cannot mint owners/admins. This is
// judged BEFORE the loop and never reads the post-change `signer.role`.
let signer_parent = parent_role(signer.member_id.as_str());
let signer_may_manage_owners = signer_parent.map_or(false, |r| r.can_manage_owners());
for m in &new_members.members { for m in &new_members.members {
if !is_privileged(m.role) { if !is_privileged(m.role) {
continue; continue;
@@ -4592,12 +4606,14 @@ fn enforce_owner_only_elevation(
if parent_role(m.member_id.as_str()) == Some(m.role) { if parent_role(m.member_id.as_str()) == Some(m.role) {
continue; // unchanged role — not an introduction or elevation continue; // unchanged role — not an introduction or elevation
} }
// A new owner/admin, or a member elevated to owner/admin → owner-only. // A new owner/admin, or a member elevated to owner/admin → owner-only,
if !signer.role.can_manage_owners() { // judged by the signer's PRE-commit (parent) authority — never the
// post-change `signer.role`.
if !signer_may_manage_owners {
eprintln!( eprintln!(
"REJECT: org commit {commit} — member '{}' (role {:?}) may not introduce or \ "REJECT: org commit {commit} — member '{}' (parent role {:?}) may not introduce or \
elevate owner/admin '{}' to {:?}; only an owner may", elevate owner/admin '{}' to {:?}; only an owner may",
signer.display_name, signer.role, m.display_name, m.role signer.display_name, signer_parent, m.display_name, m.role
); );
std::process::exit(1); std::process::exit(1);
} }

2
docs/superpowers/specs/2026-06-06-relicario-enterprise-org-vault-design.md
View File

@@ -271,7 +271,7 @@ Parses `git log` (record separator `%x1e`, field separator `%x1f` to survive mul
1. **Verifies the signature** by building a temporary `allowed_signers` from `members.json` ed25519 keys, injecting `gpg.ssh.allowedSignersFile` via `GIT_CONFIG_*`, running `git verify-commit --raw`, and parsing the `SHA256:` fingerprint from stderr — the same mechanism the existing `verify-commit` uses. A commit with no good signature, or whose signer is not a current member, is rejected. (Bare `git %GF` is **not** used — it returns empty without an allowed-signers file.) 1. **Verifies the signature** by building a temporary `allowed_signers` from `members.json` ed25519 keys, injecting `gpg.ssh.allowedSignersFile` via `GIT_CONFIG_*`, running `git verify-commit --raw`, and parsing the `SHA256:` fingerprint from stderr — the same mechanism the existing `verify-commit` uses. A commit with no good signature, or whose signer is not a current member, is rejected. (Bare `git %GF` is **not** used — it returns empty without an allowed-signers file.)
2. **Authorizes the change** by inspecting `git diff-tree` paths: 2. **Authorizes the change** by inspecting `git diff-tree` paths:
- `members.json` / `collections.json` / `org.json` → signer must be owner/admin; a `member-role-change` granting owner/admin must be signed by an owner. - `members.json` / `collections.json` / `org.json` → signer must be owner/admin; a `member-role-change` granting owner/admin must be signed by an owner. The signer's authority here is judged on their role in the **parent** commit (their pre-change role), never the post-change role carried in the commit under verification — otherwise an Admin could self-promote to Owner in one commit and have the gate read the already-elevated role and self-authorize. A signer absent from the parent has no prior authority and is rejected. (Genesis is the sole exception — see §4 below.)
- `items/<slug>/<id>.enc``<slug>` must be in the signing member's grants. - `items/<slug>/<id>.enc``<slug>` must be in the signing member's grants.
3. **Validates schema**`schema_version` must not decrease for any of the three JSON files (compared against `{commit}^:<file>`), and `members.json`/`collections.json` must pass `validate()`. 3. **Validates schema**`schema_version` must not decrease for any of the three JSON files (compared against `{commit}^:<file>`), and `members.json`/`collections.json` must pass `validate()`.
4. **Handles genesis and merges** — the root commit (no parent) is the org-init genesis: it is allowed if signed by the sole owner it introduces. Merge commits are rejected (org history is linear) to avoid first-parent-only diff blind spots. 4. **Handles genesis and merges** — the root commit (no parent) is the org-init genesis: it is allowed if signed by the sole owner it introduces. Merge commits are rejected (org history is linear) to avoid first-parent-only diff blind spots.