alee/relicario
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity

Compare commits

base: alee:v0.8.0
Branches Tags
alee:main alee:feature/user-docs alee:feature/v0.8.1-cleanup-item-build alee:feature/v0.8.1-cli-arch-doc alee:feature/v0.8.1-status-roadmap alee:feature/v0.8.1-dev-c-document-attachments alee:feature/extension-cli-parity-gap-analysis alee:feature/v0.8.1-dev-b-card-key-totp alee:feature/v0.8.1-dev-a-foundation alee:feature/v0.8.1-dev-d-server-hook alee:feature/org-vault-a5-docs alee:feature/org-vault-doc-elevation-fix alee:feature/enterprise-org-vault-dev-a alee:feature/cli-tail-stream-b-session-manifest alee:feature/cli-tail-stream-c-core-wasm-seam alee:feature/cli-tail-stream-a-prompt-helpers alee:feature/arch-followup-stream-a-security-polish alee:feature/v0.5.1-stream-b-settings alee:feature/v0.5.1-stream-a-layout alee:feature/v0.5.1-stream-c-recovery-qr alee:feature/v0.5.0-plan-a-security-cleanup alee:feature/v0.5.0-plan-b-extension-ux
alee:v0.8.1 alee:v0.8.0 alee:v0.7.0 alee:v0.6.0 alee:plan-1c-beta2-complete alee:plan-1c-beta1-complete alee:plan-1c-alpha-complete alee:plan-1b-cli-wasm-complete
..
compare: alee:feature/org-vault-a5-docs
Branches Tags
alee:feature/user-docs alee:main alee:feature/v0.8.1-cleanup-item-build alee:feature/v0.8.1-cli-arch-doc alee:feature/v0.8.1-status-roadmap alee:feature/v0.8.1-dev-c-document-attachments alee:feature/extension-cli-parity-gap-analysis alee:feature/v0.8.1-dev-b-card-key-totp alee:feature/v0.8.1-dev-a-foundation alee:feature/v0.8.1-dev-d-server-hook alee:feature/org-vault-a5-docs alee:feature/org-vault-doc-elevation-fix alee:feature/enterprise-org-vault-dev-a alee:feature/cli-tail-stream-b-session-manifest alee:feature/cli-tail-stream-c-core-wasm-seam alee:feature/cli-tail-stream-a-prompt-helpers alee:feature/arch-followup-stream-a-security-polish alee:feature/v0.5.1-stream-b-settings alee:feature/v0.5.1-stream-a-layout alee:feature/v0.5.1-stream-c-recovery-qr alee:feature/v0.5.0-plan-a-security-cleanup alee:feature/v0.5.0-plan-b-extension-ux
alee:v0.8.1 alee:v0.8.0 alee:v0.7.0 alee:v0.6.0 alee:plan-1c-beta2-complete alee:plan-1c-beta1-complete alee:plan-1c-alpha-complete alee:plan-1b-cli-wasm-complete

1 Commits
v0.8.0 ... feature/or

Author SHA1 Message Date
adlee-was-taken
ed50735e91 docs(org): pre-stage A5 living-docs for merged core+server+CLI-admin (item-CRUD/extension TODO) 
Pre-stages the A5 living-docs sweep for the already-merged A (relicario-core org
module) + C (relicario-server pre-receive hook) + CLI admin/rotate/status-audit
work, so the final A5 sweep (after Dev-B B9-B14 merges) is fast.

Adds org sections to docs/FORMATS.md (org repo wire formats + wrapped-key blob
layout), docs/CRYPTO.md (ECIES X25519 wrap/unwrap, no-Argon2id contrast, rotate
re-encryption), docs/SECURITY.md (signature-verifying hook, owner-only elevation,
audit vocabulary, honest limitations), DESIGN.md (org-master-key secrets row +
server org mode + deps), core/cli ARCHITECTURE.md (org module + org_session), and
an Unreleased CHANGELOG entry.

B item-CRUD (org add/get/list/edit/rm/restore/purge + main.rs wiring) and extension
parity are left as explicit TODO. STATUS/ROADMAP mark-shipped and
extension/ARCHITECTURE are deferred to the full A5 (track not yet landed; Dev-D
deferred). All cited code constants pinned with file:line per living-docs discipline.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy
 2026-06-20 14:39:08 -04:00
19 changed files with 75 additions and 1480 deletions
Expand all files Collapse all files

49
CHANGELOG.md
View File

@@ -1,12 +1,14 @@
# Changelog
## v0.8.0 — 2026-06-20 — enterprise org vault
## Unreleased — enterprise org vault (in progress)
Git-native multi-user **org vaults**: a separate org git repository alongside each
member's personal vault, with a 256-bit org master key ECIES-wrapped per member to
their ed25519 device key, collection-scoped item storage, role-based access, and a
signature-verifying pre-receive hook that makes least-privilege enforcement
server-side. Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`.
signature-verifying pre-receive hook that makes least-privilege server-enforced.
Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`. Entries
below cover the **already-merged** core (A) + server (C) + CLI admin work; item CRUD
and extension parity land subsequently.
### Added
- **relicario-core `org` module** (`crates/relicario-core/src/org.rs`): org types
@@ -15,39 +17,22 @@ server-side. Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vau
key wrap/unwrap (`generate_org_key`, `wrap_org_key`, `unwrap_org_key`) — ed25519→
X25519 via RFC 7748 clamp, domain-separated `SHA-256(dh || eph_pk || rcpt_pk)` KDF,
XChaCha20-Poly1305 inner cipher, all key material in `Zeroizing`. Adds
`encrypt_org_manifest` / `decrypt_org_manifest` vault wrappers. New dependencies:
`x25519-dalek 2` (`static_secrets`) in core, `ssh-key 0.6` in core and CLI.
- **relicario-server org mode**: `verify-org-commit` (commit-signature verification
against `members.json` ed25519 keys, path-scoped role/grant authorization,
owner-only elevation judged on the signer's pre-commit role, schema-version
monotonicity) and `generate-org-hook`; new `[lib]` target (`classify_path`,
`extract_schema_version`). Audit trail on every push carries verified-signer
attribution; commits whose signer cannot be matched are flagged `TAMPERED`.
`encrypt_org_manifest` / `decrypt_org_manifest` vault wrappers. New dependency
`x25519-dalek 2` (`static_secrets`).
- **relicario-server org mode**: `verify-org-commit` (signature verification against
`members.json`, path-scoped role/grant authorization, owner-only elevation judged
on the signer's pre-commit role, schema-version monotonicity) and
`generate-org-hook`; new `[lib]` target (`classify_path`, `extract_schema_version`).
- **relicario-cli org admin commands**: `org init`, `add-member` / `remove-member` /
`set-role` (owner-only escalation guard), `create-collection` / `grant` / `revoke`,
`rotate-key` (re-encrypts every item blob + manifest under a fresh org key),
`transfer-ownership`, `delete-org` (local tombstone; hook blocks pushing a
protected-file deletion), `status` / `audit`. Org commits are signed
(`org_git_run` preserves signing).
- **relicario-cli org item CRUD**: `org add` (Login, SecureNote, Identity — each
collection-scoped and grant-enforced), `org get <query> [--show]` (secrets masked
by default; renders Login/SecureNote/Identity/Card/Document/Totp), `org list
[--trashed]` (manifest filtered to your collection grants), `org edit <query>`
(flag-driven field updates for login/note/identity fields), `org rm` / `org restore`
/ `org purge` (soft-delete lifecycle). Audit actions emitted: `item-create`,
`item-update`, `item-delete`, `item-restore`, `item-purge`.
`rotate-key` (re-encrypts every item blob + manifest under a fresh key),
`status` / `audit` (verified-signer attribution + `TAMPERED` flag). Org commits are
signed (`org_git_run` preserves signing). New `ssh-key` dependency in the CLI.
### Deferred
- `org add` / `org edit` parity for Card, SshKey, Document, and Totp item types
(only Login, SecureNote, Identity supported today; `org get` and `org list` can
display all types already present in the vault).
### TODO (pending merge)
- CLI item CRUD: `org add` / `get` / `list` / `edit` / `rm` / `restore` / `purge`,
and the final `Commands::Org` wiring in `main.rs` (Dev-B B9B14).
- Extension org switch + read-only browse parity (Dev-D follow-up).
- Extension org writes.
- Phase-2 features: SSO/LDAP provisioning, read audit trail, per-collection subkeys
(the current shared org master key scopes *writes* via the hook and *read access*
via manifest filtering, but does not cryptographically isolate collections from one
another — a member who obtains the org key can decrypt any blob), HTTP management
plane.
## v0.7.0 — 2026-06-01

6
Cargo.lock generated
View File

@@ -2156,7 +2156,7 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
[[package]]
name = "relicario-cli"
version = "0.8.0"
version = "0.7.0"
dependencies = [
"anyhow",
"arboard",
@@ -2188,7 +2188,7 @@ dependencies = [
[[package]]
name = "relicario-core"
version = "0.8.0"
version = "0.7.0"
dependencies = [
"argon2",
"base64",
@@ -2235,7 +2235,7 @@ dependencies = [
[[package]]
name = "relicario-wasm"
version = "0.8.0"
version = "0.7.0"
dependencies = [
"base64",
"ed25519-dalek",

2
DESIGN.md
View File

@@ -164,7 +164,7 @@ The enterprise org vault is a **second git repository** alongside each member's
- **relicario-server** gains an **org mode**: a new `[lib]` target (`classify_path`, `extract_schema_version`) plus the `verify-org-commit` and `generate-org-hook` subcommands — a signature-verifying, path-scoped pre-receive hook (see `docs/SECURITY.md`).
- **extension** org switch + read parity is a tracked follow-up (Dev-D) — `TODO (extension follow-up)`.
Status: the backend is complete on `main` — core (A) org module, server hook (C), and the full CLI (all 19 `org` subcommands incl. item CRUD) are merged. Deferred: `org add`/`edit` parity for Card/Key/Document/Totp (Login/SecureNote/Identity ship today), and the extension org switch + read parity (`TODO (extension follow-up)`, Dev-D).
Status: core (A) + server hook (C) merged; CLI admin/rotate/status-audit merged; CLI item-CRUD + the final command wiring are `TODO (pending Dev-B B9B14)`.
## Build matrix

8
ROADMAP.md
View File

@@ -7,7 +7,6 @@
| Version | Highlights |
|---|---|
| *(untagged, 2026-06-20)* | **Enterprise org vault — backend complete** (`7392795`): relicario-core `org` module (ECIES X25519 key wrap/unwrap, `OrgRole`/`OrgMember`/`OrgManifest` types, `filter_for_member`, `schema_version: 1`); relicario-server org hook (`verify-org-commit`: signature verification, path-scoped authz, `enforce_owner_only_elevation` on parent role, `enforce_schema_monotonicity`, `generate-org-hook`, new `[lib]` target); relicario-cli — all 19 `relicario org` subcommands: init, add-member/remove-member/set-role, create-collection/grant/revoke, rotate-key (re-encrypts all blobs), transfer-ownership, delete-org, status, audit, and item CRUD (add/get/list/edit/rm/restore/purge). **Not yet shipped:** `org add`/`edit` for Card/SshKey/Document/Totp; extension org parity (Dev-D); phase 2 (SSO/LDAP, read audit, per-collection subkeys, HTTP plane). |
| v0.7.0 *(2026-06-01)* | Extension restructure (Plan C) complete — Phases 3/4/6 merged via 3 parallel worktree streams under PM coordination: setup wizard crypto migrated into the SW (`create_vault`/`attach_vault`; `setup.ts` 1230→58 LOC + step registry); `vault.ts` split 1037→194 LOC into 5 focused + 2 support modules; `vault_locked` intercept lifted into `shared/state.ts`; `get_vault_status` SW message + sidebar status indicator closing the last `relicario status` CLI/extension parity gap |
| v0.6.0 *(2026-05-30)* | Security audit fixes; device authentication; backup/restore + LastPass import; fullscreen UX Phases 1+2A+2B; v0.5.1 Streams A/B/C (3-column vault layout + bottom-sheet picker + toast system; left-nav settings; Recovery QR end-to-end + setup wizard Style C); 1C-γ (attachments + Document type + device registration + trash + field history); Plan B multi-stream refactor (commands/ split, prompt_or_flag, core/WASM seam); vault-tab management surfaces revamp (settings synced/local split, devices fingerprint, trash purge countdown, field-history polish, item-history-index, `#history/<id>` routing); doc-structure redesign (rename to DESIGN/CRYPTO/docs/FORMATS, scope headers + Next: footers); GPL-3.0-or-later license |
| v0.2.0 | Typed-item rewrite (Plans 1A/1B/1C-α/β₁/β₂) |
@@ -16,19 +15,14 @@ See `CHANGELOG.md` for tagged-release detail and `STATUS.md` for the per-train c
## Up next
All three 2026-05-04 architecture-review specs are shipped; enterprise org vault backend is shipped (2026-06-20). Pending items in rough priority order:
All three 2026-05-04 architecture-review specs are now shipped (CLI restructure = Plan B Cycles 1+2; security polish = Stream A Cycle 1; extension restructure = Plan C Phases 16, completed v0.7.0 2026-06-01). The next committed item is:
- **Org-vault item-type parity** — `org add`/`edit` support for Card, SshKey, Document, Totp (Login/SecureNote/Identity ship today)
- **Extension org parity — read** — org switch + collection-filtered browse in the popup/vault tab (Dev-D, deferred)
- **Extension org parity — write** — `org add`/`edit`/`rm` from the extension
- **Phase 4: command palette** — ⌘K global search + action dispatch across the vault tab (no spec yet)
## Medium-term
_(promote here once specced)_
- **Org vault phase 2** — SSO/LDAP federation, read audit log, per-collection subkeys (true cryptographic scope separation per collection), HTTP management plane
## Long-term / backlog
- **Relay server** — encrypted WebSocket relay for multi-device sync without a shared git server

34
STATUS.md
View File

@@ -98,30 +98,6 @@ Plan: `docs/superpowers/plans/2026-05-24-vault-tab-management-surfaces-revamp.md
- Item-history-index pane — top-level "items with history" list (`32e1632`)
- Sidebar slot wiring + `#history/<id>` route with `#field-history/<id>` legacy normalization (`88d7228`)
### Enterprise org vault — core + server hook + CLI (merged 2026-06-20, `7392795`)
Spec: `docs/superpowers/specs/2026-06-06-relicario-enterprise-org-vault-design.md`; plan: `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`
**relicario-core org module** (`crates/relicario-core/src/org.rs`): `OrgId`, `MemberId`, `OrgRole` (Owner/Admin/Member), `OrgMember`, `OrgMembers`/`OrgCollections`/`OrgMeta`/`OrgManifest`/`OrgManifestEntry` (all `schema_version: 1`); `generate_org_key`; ECIES X25519 key wrap/unwrap (`wrap_org_key` / `unwrap_org_key`) — ed25519→X25519 conversion via `SHA-512(seed)[..32]` + RFC 7748 clamp, ephemeral DH, `SHA-256(dh_shared || ephemeral_pk || recipient_pk)` wrap key, inner cipher delegated to `crate::crypto::encrypt` (XChaCha20-Poly1305, no Argon2id in org path); `OrgManifest::filter_for_member` for collection-scoped manifest views. Vault wrappers: `encrypt_org_manifest` / `decrypt_org_manifest` in `vault.rs`. 5 acceptance tests in `crates/relicario-core/tests/org.rs` incl. wrap/unwrap round-trip, revoke-after-rotation, manifest filter, and an RFC 8032 ed25519→X25519 known-answer vector.
**relicario-server org hook** (`crates/relicario-server/src/{lib.rs,main.rs}`): pure `classify_path` / `extract_schema_version` in new `lib.rs` target; `verify_org_commit` — commit-signature verification against `members.json` ed25519 keys, path-scoped authorization (protected JSON → owner/admin only; `items/<slug>/…` → slug in signer's grants), `enforce_owner_only_elevation` (parent-role check; guards against privilege self-escalation), `enforce_schema_monotonicity` (schema_version must not decrease; merge commits rejected; genesis allowed); `generate-org-hook` subcommand emits a wrapper script. New `[lib]` target added to `relicario-server` crate.
**relicario-cli — all 19 `relicario org` subcommands** (`crates/relicario-cli/src/{org_session.rs,commands/org.rs,device.rs}`): `org_session.rs` provides `UnlockedOrgVault` (org key in `Zeroizing`), collection-scoped `item_path`, fingerprint-based member match, `atomic_write`, `org_git_run` (signed commits — does NOT suppress `commit.gpgsign`).
Admin/lifecycle commands: `init` (structure + wrap + `configure_git_signing` + signed bootstrap commit), `add-member` / `remove-member` / `set-role` (owner-only escalation guard), `create-collection` / `grant` / `revoke`, `rotate-key` (fresh key + re-wrap all members + re-encrypt every `items/<slug>/<id>.enc` blob + manifest, concurrent-rotation abort, `Relicario-Action: key-rotate`), `transfer-ownership`, `delete-org`, `status`, `audit` (verified-signer attribution + TAMPERED flag).
Item CRUD commands (B9B14): `org add` (`OrgAddKind`: Login/SecureNote/Identity; card/key/document/totp deferred — see below), `org get <query> [--show]`, `org list [--trashed]`, `org edit <query> [--title/--username/…]`, `org rm`, `org restore`, `org purge`. All ops are collection-scoped + grant-enforced; audit trail emits `item-create` / `item-update` / `item-delete` / `item-restore` / `item-purge`.
**A5 doc-fix** (`enforce_owner_only_elevation` parent-role close, `519e503`) and this living-docs sweep also landed.
**Tracked follow-ups (deferred, not shipped):**
- `org add` / `org edit` parity for Card, SshKey, Document, Totp item types (Login/SecureNote/Identity only today; `get`/`list` can display all types if present)
- Extension org-vault switch + read parity (Dev-D deferred)
- Extension org write operations
- Phase 2: SSO/LDAP federation, read audit log, per-collection subkeys (true cryptographic scope separation), HTTP management plane
**Known limitations (by design in phase 1):** shared org master key — reads are not cryptographically scoped per collection (hook scopes writes; client filters manifest); no read audit (git records writes only); `delete-org` is a local tombstone only (hook rejects protected-file deletion on push).
### Extension restructure — Plan C Phases 3, 4, 6 (merged 2026-05-31 → 06-01, v0.7.0)
Spec: `docs/superpowers/specs/2026-05-04-extension-restructure-design.md`
@@ -167,12 +143,6 @@ Per the 2026-05-30 post-v0.6.0 audit of the three 2026-05-04 architecture-review
- **Security polish** (`2026-05-04-security-polish-design.md`) — *already shipped* as Stream A Cycle 1 (`89090a8`) plus follow-ups (`0c9387f` start.sh fourth window, `229e483` recovery_qr.rs docs). All four phases done.
- **Extension restructure** (`2026-05-04-extension-restructure-design.md`, plan `docs/superpowers/plans/2026-05-30-extension-restructure.md`) — ✅ **COMPLETE** (all six phases merged; see the dated landing section above). Phases 1/2/5 merged 2026-05-30; Phases 3/4/6 merged 2026-05-31 → 06-01. Final tree: 423/423 vitest, build:all clean. v0.7.0 versions bumped; tag pending.
**Enterprise org vault** — ✅ **COMPLETE (backend)** — all 19 CLI subcommands + core + server hook merged `7392795` 2026-06-20. Deferred follow-ups tracked in the landing section above.
Beyond extension restructure, ROADMAP medium-term holds Phase 4 command palette (no spec yet). Long-term: relay server, mobile.
Pending org-vault follow-ups (in rough priority order):
- `org add`/`edit` parity for Card, SshKey, Document, Totp
- Extension org switch + read parity (Dev-D)
- Extension org write operations
- **Phase 4: command palette** — ⌘K global search + action dispatch across the vault tab (no spec yet)
Long-term: relay server, mobile. See `ROADMAP.md` for the longer arc and `CHANGELOG.md` for tagged-release history (current head: `v0.6.0`; the `v0.7.0` entry covers extension-restructure completion).
See `ROADMAP.md` for the longer arc and `CHANGELOG.md` for tagged-release history (current head: `v0.6.0`; the `v0.7.0` entry covers this extension-restructure completion).

49
crates/relicario-cli/ARCHITECTURE.md
View File

@@ -74,43 +74,26 @@ under `src/commands/`. Each source file has one job.
- **`src/org_session.rs`** — `UnlockedOrgVault`, the org-vault analogue of
`session.rs`. Holds the org master key in `Zeroizing<[u8; 32]>` for one CLI
invocation, recovered by unwrapping `keys/<member-id>.enc` with the device
ed25519 seed. `open_org_vault` calls `crate::device::current_device_seed()`
directly (`device.rs`) — a duplicate private fn that previously existed in
`org_session.rs` was removed during the A5 sweep (implementations were
identical). Owns the **collection-scoped** `item_path`
(`items/<collection-slug>/<id>.enc` — the leading slug is what the pre-receive
hook authorizes against, never decrypting), fingerprint-based member matching
(`relicario_core::fingerprint`, tolerant of OpenSSH whitespace/comment
differences), `atomic_write`, and `org_git_run`. Note `org_git_run` runs
**bare git** — unlike `helpers::git_run` it does NOT inject
ed25519 seed (`relicario_core::unwrap_org_key`). Owns the **collection-scoped**
`item_path` (`items/<collection-slug>/<id>.enc` — the leading slug is what the
pre-receive hook authorizes against, never decrypting), fingerprint-based
member matching (`relicario_core::fingerprint`, tolerant of OpenSSH
whitespace/comment differences), `atomic_write`, and `org_git_run`. Note
`org_git_run` runs **bare git** — unlike `helpers::git_run` it does NOT inject
`commit.gpgsign=false`, because org commits MUST be signed (the hook verifies
every commit's signature); signing config is established by
`configure_git_signing` during `org init`.
- **`src/commands/org.rs`** — the `relicario org` subcommand surface. Full
19-subcommand surface is merged and wired via `Commands::Org` in `main.rs`.
*Admin / lifecycle (12):* `init` (structure + wrap + `configure_git_signing` +
signed bootstrap commit), `add-member` / `remove-member` / `set-role`
(owner-only escalation guard), `create-collection` / `grant` / `revoke`,
`rotate-key` (`run_rotate_key`, `commands/org.rs:332` — fresh key, re-wrap for
all members, re-encrypt every item blob + manifest under the new key,
concurrent-rotation abort), `transfer-ownership`, `delete-org`, `status` /
`audit` (verified-signer attribution + `TAMPERED` flag).
*Item CRUD (7):* `org add` creates typed items via `OrgAddKind`
(`commands/org.rs:749`) — **Login / SecureNote / Identity only**; Card /
SshKey / Document / Totp creation is a deferred follow-up. `get` / `list` can
display any item type if present. `org get <query> [--show]` masks secrets
unless `--show`; `org list [--trashed]` filters by the caller's collection
grants; `org edit <query>` is flag-driven (blank flags keep current values);
`org rm` soft-deletes, `org restore` undoes, `org purge` permanently removes
the encrypted blob. All item ops are collection-scoped and grant-enforced. The
audit trail emits `item-create` / `item-update` / `item-delete` /
`item-restore` / `item-purge`.
Deferred: Card / SshKey / Document / Totp `org add` / `edit` parity;
extension org reads and writes (Dev-D).
- **`src/commands/org.rs`** — the `relicario org` subcommand surface. Merged:
`init`, `add-member` / `remove-member` / `set-role` (owner-only escalation
guard), `create-collection` / `grant` / `revoke`, `rotate-key`
(`run_rotate_key`, `commands/org.rs:332` — fresh key, re-wrap for all members,
re-encrypt every item blob + manifest under the new key, concurrent-rotation
abort), and `status` / `audit` (verified-signer attribution + `TAMPERED`
flag). **TODO (pending Dev-B B9B14):** the item-CRUD commands (`org add` /
`get` / `list` / `edit` / `rm` / `restore` / `purge`) and the final
`Commands::Org` wiring in `main.rs`. `device.rs` gains
`current_device_seed` / `current_device_pubkey` helpers for the ECIES unwrap.
- **`src/helpers.rs`** (`helpers.rs:1-101`) — pure, no-state plumbing:
`find_vault_dir_from` (`helpers.rs:14-28`) walks up parent directories

2
crates/relicario-cli/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "relicario-cli"
version = "0.8.0"
version = "0.7.0"
edition = "2021"
description = "CLI for relicario password manager"
license = "GPL-3.0-or-later"

480
crates/relicario-cli/src/commands/org.rs
View File

@@ -6,8 +6,7 @@ use std::path::Path;
use anyhow::{Context, Result};
use relicario_core::{
generate_org_key, wrap_org_key,
CollectionDef, Item, ItemCore, MemberId, OrgCollections, OrgManifest, OrgMembers, OrgMeta,
OrgRole, OrgMember,
CollectionDef, MemberId, OrgCollections, OrgManifest, OrgMembers, OrgMeta, OrgRole, OrgMember,
encrypt_org_manifest,
};
@@ -442,73 +441,6 @@ pub fn run_rotate_key(dir: &Path) -> Result<()> {
Ok(())
}
pub fn run_transfer_ownership(dir: &Path, member_id_prefix: &str, keep_owner: bool) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_owners() {
anyhow::bail!("only an owner can transfer ownership");
}
let mut members = vault.load_members()?;
let target_id = resolve_member_id(&members, member_id_prefix)?;
if target_id == caller.member_id {
anyhow::bail!("you are already the owner");
}
// Promote the target to Owner.
{
let target = members.find_by_id_mut(&target_id)
.ok_or_else(|| anyhow::anyhow!("member not found"))?;
target.role = OrgRole::Owner;
}
// Real transfer: also demote the CALLER to Admin, unless --keep-owner was
// passed (explicit co-ownership). The spec says "owner → another member",
// so demotion is the default.
if !keep_owner {
if let Some(me) = members.find_by_id_mut(&caller.member_id) {
me.role = OrgRole::Admin;
}
}
vault.save_members(&members)?;
let mode = if keep_owner { "co-ownership (caller kept owner)" } else { "caller demoted to admin" };
let commit_msg = format!(
"org: transfer ownership to {} ({mode})\n\nRelicario-Actor: {} {}\nRelicario-Action: ownership-transfer\nRelicario-Member: {}",
target_id.as_str(), caller.display_name, caller.member_id.as_str(), target_id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", "members.json"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
if keep_owner {
println!("Ownership shared with {} (you remain an owner).", target_id.as_str());
} else {
println!("Ownership transferred to {} (you are now an admin).", target_id.as_str());
}
Ok(())
}
pub fn run_delete_org(dir: &Path, confirm: bool) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
if !caller.role.can_manage_owners() {
anyhow::bail!("only an owner can delete the org");
}
if !confirm {
anyhow::bail!("refusing to delete org without --confirm");
}
let commit_msg = format!(
"org: delete org\n\nRelicario-Actor: {} {}\nRelicario-Action: org-delete",
caller.display_name, caller.member_id.as_str()
);
// Remove org files (the git history is retained as the audit record).
for f in ["org.json", "members.json", "collections.json", "manifest.enc"] {
let _ = fs::remove_file(vault.root.join(f));
}
let _ = std::fs::remove_dir_all(vault.root.join("items"));
let _ = std::fs::remove_dir_all(vault.root.join("keys"));
crate::org_session::org_git_run(&vault.root, &["add", "-A"], "git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "git commit")?;
println!("Org deleted (git history retained as audit record).");
Ok(())
}
pub fn run_status(dir: &Path) -> Result<()> {
let root = crate::org_session::org_dir(Some(dir))?;
@@ -745,416 +677,6 @@ pub fn run_audit(
Ok(())
}
/// Item kinds `org add` supports without interactive prompts.
pub enum OrgAddKind {
Login {
title: String,
username: Option<String>,
url: Option<String>,
password: Option<String>,
},
SecureNote {
title: String,
body: String,
},
Identity {
title: String,
full_name: Option<String>,
email: Option<String>,
phone: Option<String>,
},
}
fn build_org_item(kind: OrgAddKind, tags: Vec<String>) -> Result<Item> {
use relicario_core::item_types::{IdentityCore, LoginCore, SecureNoteCore};
use zeroize::Zeroizing;
let mut item = match kind {
OrgAddKind::Login { title, username, url, password } => {
let parsed_url = match url {
Some(s) => Some(url::Url::parse(&s).with_context(|| format!("invalid URL: {s}"))?),
None => None,
};
let password = password.map(Zeroizing::new);
Item::new(title, ItemCore::Login(LoginCore {
username,
password,
url: parsed_url,
totp: None,
}))
}
OrgAddKind::SecureNote { title, body } => {
Item::new(title, ItemCore::SecureNote(SecureNoteCore {
body: Zeroizing::new(body),
}))
}
OrgAddKind::Identity { title, full_name, email, phone } => {
Item::new(title, ItemCore::Identity(IdentityCore {
full_name,
address: None,
phone,
email,
date_of_birth: None,
}))
}
};
item.tags = tags;
Ok(item)
}
pub fn run_add(dir: &Path, collection: &str, kind: OrgAddKind, tags: Vec<String>) -> Result<()> {
use crate::org_session::UnlockedOrgVault;
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
// Slug must exist in collections.json…
let collections = vault.load_collections()?;
if !collections.contains_slug(collection) {
anyhow::bail!("collection `{collection}` does not exist — create it with `relicario org create-collection`");
}
// …and the caller must hold a grant for it.
UnlockedOrgVault::ensure_grant(&caller, collection)?;
let item = build_org_item(kind, tags)?;
let item_rel = vault.save_item(collection, &item)?;
// Upsert the manifest entry (collection slug stored plaintext inside the
// encrypted manifest).
let mut manifest = vault.load_manifest()?;
upsert_org_entry(&mut manifest, &item, collection);
vault.save_manifest(&manifest)?;
let subject = format!(
"org add: {} ({})",
crate::helpers::sanitize_for_commit(&item.title),
item.id.as_str()
);
let commit_msg = format!(
"{subject}\n\nRelicario-Actor: {} {}\nRelicario-Action: item-create\nRelicario-Collection: {}\nRelicario-Item: {}",
caller.display_name,
caller.member_id.as_str(),
collection,
item.id.as_str()
);
crate::org_session::org_git_run(
&vault.root,
&["add", &item_rel, "manifest.enc"],
"org add: git add",
)?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "org add: git commit")?;
println!("Added {} ({}) to `{}`", item.title, item.id.as_str(), collection);
Ok(())
}
pub fn run_list(dir: &Path, trashed: bool) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let manifest = vault.load_manifest()?;
// filter_for_member restricts to the caller's granted collections.
let visible = manifest.filter_for_member(&caller);
let mut entries: Vec<_> = visible.entries.iter()
.filter(|e| if trashed { e.trashed_at.is_some() } else { e.trashed_at.is_none() })
.collect();
entries.sort_by(|a, b| a.title.to_lowercase().cmp(&b.title.to_lowercase()));
if entries.is_empty() {
eprintln!("(no items match)");
return Ok(());
}
println!("{:<16} {:<14} {:<12} TITLE", "ID", "TYPE", "COLLECTION");
for e in entries {
println!(
"{:<16} {:<14} {:<12} {}",
e.id.as_str(),
format!("{:?}", e.r#type),
e.collection,
e.title
);
}
Ok(())
}
pub fn run_get(dir: &Path, query: &str, show: bool) -> Result<()> {
use relicario_core::ItemCore;
use zeroize::Zeroizing;
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let manifest = vault.load_manifest()?;
let visible = manifest.filter_for_member(&caller);
let entry = resolve_org_query(&visible, query)?;
// Double-check the grant for the resolved collection (defense in depth).
crate::org_session::UnlockedOrgVault::ensure_grant(&caller, &entry.collection)?;
let item = vault.load_item(&entry.collection, &entry.id)?;
println!("ID: {}", item.id.as_str());
println!("Title: {}", item.title);
println!("Type: {:?}", item.r#type);
println!("Collection: {}", entry.collection);
if !item.tags.is_empty() { println!("Tags: {}", item.tags.join(", ")); }
println!("Modified: {}", crate::helpers::iso8601(item.modified));
if let Some(t) = item.trashed_at { println!("Trashed: {}", crate::helpers::iso8601(t)); }
println!();
let primary_secret: Option<Zeroizing<String>> = match &item.core {
ItemCore::Login(l) => {
if let Some(u) = &l.username { println!("Username: {u}"); }
if let Some(u) = &l.url { println!("URL: {u}"); }
l.password.clone()
}
ItemCore::SecureNote(n) => {
if show { println!("Body:\n{}", n.body.as_str()); }
else { println!("Body: ********"); }
None
}
ItemCore::Identity(i) => {
if let Some(v) = &i.full_name { println!("Name: {v}"); }
if let Some(v) = &i.email { println!("Email: {v}"); }
if let Some(v) = &i.phone { println!("Phone: {v}"); }
None
}
ItemCore::Card(c) => {
if let Some(h) = &c.holder { println!("Holder: {h}"); }
c.number.clone()
}
ItemCore::Key(k) => {
if let Some(l) = &k.label { println!("Label: {l}"); }
Some(k.key_material.clone())
}
ItemCore::Document(d) => {
println!("Filename: {}", d.filename);
println!("MIME: {}", d.mime_type);
None
}
ItemCore::Totp(t) => {
if let Some(i) = &t.issuer { println!("Issuer: {i}"); }
if let Some(l) = &t.label { println!("Label: {l}"); }
None
}
};
if let Some(secret) = primary_secret {
if show {
println!("Secret: {}", secret.as_str());
} else {
println!("Secret: ******** (use --show to reveal)");
}
}
Ok(())
}
/// Resolve a query (exact id, else case-insensitive title substring) against an
/// already-grant-filtered manifest.
fn resolve_org_query<'a>(
manifest: &'a relicario_core::OrgManifest,
query: &str,
) -> Result<&'a relicario_core::OrgManifestEntry> {
if let Some(entry) = manifest.entries.iter().find(|e| e.id.as_str() == query) {
return Ok(entry);
}
let needle = query.to_lowercase();
let hits: Vec<&relicario_core::OrgManifestEntry> = manifest.entries.iter()
.filter(|e| e.title.to_lowercase().contains(&needle))
.collect();
match hits.len() {
0 => anyhow::bail!("no item matches `{query}`"),
1 => Ok(hits[0]),
_ => {
let titles: Vec<&str> = hits.iter().map(|e| e.title.as_str()).collect();
anyhow::bail!("ambiguous — {} matches: {}", hits.len(), titles.join(", "))
}
}
}
pub fn run_edit(
dir: &Path,
query: &str,
title: Option<String>,
username: Option<String>,
url: Option<String>,
password: Option<String>,
body: Option<String>,
email: Option<String>,
phone: Option<String>,
full_name: Option<String>,
) -> Result<()> {
use relicario_core::time::now_unix;
use relicario_core::ItemCore;
use zeroize::Zeroizing;
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let manifest = vault.load_manifest()?;
let visible = manifest.filter_for_member(&caller);
let entry = resolve_org_query(&visible, query)?;
let collection = entry.collection.clone();
let id = entry.id.clone();
crate::org_session::UnlockedOrgVault::ensure_grant(&caller, &collection)?;
let mut item = vault.load_item(&collection, &id)?;
if let Some(t) = title { item.title = t; }
match &mut item.core {
ItemCore::Login(l) => {
if let Some(u) = username { l.username = Some(u); }
if let Some(u) = url {
l.url = Some(url::Url::parse(&u).with_context(|| format!("invalid URL: {u}"))?);
}
if let Some(p) = password { l.password = Some(Zeroizing::new(p)); }
}
ItemCore::SecureNote(n) => {
if let Some(b) = body { n.body = Zeroizing::new(b); }
}
ItemCore::Identity(i) => {
if let Some(v) = full_name { i.full_name = Some(v); }
if let Some(v) = email { i.email = Some(v); }
if let Some(v) = phone { i.phone = Some(v); }
}
_ => anyhow::bail!("org edit currently supports login, secure-note, and identity items"),
}
item.modified = now_unix();
let item_rel = vault.save_item(&collection, &item)?;
let mut manifest = vault.load_manifest()?;
upsert_org_entry(&mut manifest, &item, &collection);
vault.save_manifest(&manifest)?;
let subject = format!(
"org edit: {} ({})",
crate::helpers::sanitize_for_commit(&item.title),
item.id.as_str()
);
let commit_msg = format!(
"{subject}\n\nRelicario-Actor: {} {}\nRelicario-Action: item-update\nRelicario-Collection: {}\nRelicario-Item: {}",
caller.display_name, caller.member_id.as_str(), collection, item.id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", &item_rel, "manifest.enc"], "org edit: git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "org edit: git commit")?;
println!("Updated {}", item.id.as_str());
Ok(())
}
/// Resolve a query to (collection, item) with grant enforcement. Used by the
/// trash-lifecycle commands.
fn open_org_item(
vault: &crate::org_session::UnlockedOrgVault,
caller: &relicario_core::OrgMember,
query: &str,
) -> Result<(String, relicario_core::Item)> {
let manifest = vault.load_manifest()?;
let visible = manifest.filter_for_member(caller);
let entry = resolve_org_query(&visible, query)?;
let collection = entry.collection.clone();
let id = entry.id.clone();
crate::org_session::UnlockedOrgVault::ensure_grant(caller, &collection)?;
let item = vault.load_item(&collection, &id)?;
Ok((collection, item))
}
pub fn run_rm(dir: &Path, query: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let (collection, mut item) = open_org_item(&vault, &caller, query)?;
item.soft_delete();
let item_rel = vault.save_item(&collection, &item)?;
let mut manifest = vault.load_manifest()?;
upsert_org_entry(&mut manifest, &item, &collection);
vault.save_manifest(&manifest)?;
let commit_msg = format!(
"org trash: {} ({})\n\nRelicario-Actor: {} {}\nRelicario-Action: item-delete\nRelicario-Collection: {}\nRelicario-Item: {}",
crate::helpers::sanitize_for_commit(&item.title), item.id.as_str(),
caller.display_name, caller.member_id.as_str(), collection, item.id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", &item_rel, "manifest.enc"], "org rm: git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "org rm: git commit")?;
println!("Moved to trash: {}", item.title);
Ok(())
}
pub fn run_restore(dir: &Path, query: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let (collection, mut item) = open_org_item(&vault, &caller, query)?;
item.restore();
let item_rel = vault.save_item(&collection, &item)?;
let mut manifest = vault.load_manifest()?;
upsert_org_entry(&mut manifest, &item, &collection);
vault.save_manifest(&manifest)?;
let commit_msg = format!(
"org restore: {} ({})\n\nRelicario-Actor: {} {}\nRelicario-Action: item-restore\nRelicario-Collection: {}\nRelicario-Item: {}",
crate::helpers::sanitize_for_commit(&item.title), item.id.as_str(),
caller.display_name, caller.member_id.as_str(), collection, item.id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["add", &item_rel, "manifest.enc"], "org restore: git add")?;
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "org restore: git commit")?;
println!("Restored: {}", item.title);
Ok(())
}
pub fn run_purge(dir: &Path, query: &str) -> Result<()> {
let vault = crate::org_session::open_org_vault(Some(dir))?;
let caller = vault.current_member()?;
let (collection, item) = open_org_item(&vault, &caller, query)?;
let title = item.title.clone();
let id = item.id.clone();
// Remove the blob from disk, drop the manifest entry, stage with git rm.
vault.remove_item(&collection, &id)?;
let mut manifest = vault.load_manifest()?;
manifest.entries.retain(|e| e.id != id);
vault.save_manifest(&manifest)?;
let item_rel = format!("items/{}/{}.enc", collection, id.as_str());
crate::helpers::git_rm(&vault.root, &[item_rel], "org purge: git rm")?;
crate::org_session::org_git_run(&vault.root, &["add", "manifest.enc"], "org purge: git add manifest")?;
let commit_msg = format!(
"org purge: {} ({})\n\nRelicario-Actor: {} {}\nRelicario-Action: item-purge\nRelicario-Collection: {}\nRelicario-Item: {}",
crate::helpers::sanitize_for_commit(&title), id.as_str(),
caller.display_name, caller.member_id.as_str(), collection, id.as_str()
);
crate::org_session::org_git_run(&vault.root, &["commit", "-m", &commit_msg], "org purge: git commit")?;
println!("Purged: {title}");
Ok(())
}
/// Insert-or-replace an `OrgManifestEntry` mirroring the personal-vault
/// `Manifest::upsert`. Keyed by item id.
fn upsert_org_entry(
manifest: &mut relicario_core::OrgManifest,
item: &Item,
collection: &str,
) {
let entry = relicario_core::OrgManifestEntry {
id: item.id.clone(),
r#type: item.r#type,
title: item.title.clone(),
tags: item.tags.clone(),
modified: item.modified,
trashed_at: item.trashed_at,
collection: collection.to_string(),
};
if let Some(slot) = manifest.entries.iter_mut().find(|e| e.id == item.id) {
*slot = entry;
} else {
manifest.entries.push(entry);
}
}
#[cfg(test)]
mod tests {
use super::*;

236
crates/relicario-cli/src/main.rs
View File

@@ -438,138 +438,7 @@ pub(crate) enum OrgCommands {
#[arg(long)]
name: String,
},
/// Add a member to the org.
AddMember {
/// OpenSSH ed25519 public key of the new member.
#[arg(long)]
key: String,
/// Display name.
#[arg(long)]
name: String,
/// Role: owner, admin, or member.
#[arg(long, default_value = "member")]
role: String,
},
/// Remove a member from the org.
RemoveMember {
/// Member ID prefix.
member_id: String,
},
/// Change a member's role.
SetRole {
member_id: String,
role: String,
},
/// Create a collection.
CreateCollection {
slug: String,
#[arg(long)]
name: String,
},
/// Grant a member access to a collection.
Grant {
member_id: String,
collection: String,
},
/// Revoke a member's access to a collection.
Revoke {
member_id: String,
collection: String,
},
/// Rotate the org master key (run after removing a member).
RotateKey,
/// Transfer ownership to another member (owner only). By default the caller
/// is demoted to admin; pass --keep-owner for explicit co-ownership.
TransferOwnership {
member_id: String,
/// Keep the caller as an owner too (co-ownership) instead of demoting.
#[arg(long)]
keep_owner: bool,
},
/// Delete the org (owner only; requires --confirm).
DeleteOrg {
#[arg(long)]
confirm: bool,
},
/// Show org members and collections.
Status,
/// Query the org audit log.
Audit {
#[arg(long)]
since: Option<String>,
#[arg(long)]
member: Option<String>,
#[arg(long)]
collection: Option<String>,
#[arg(long)]
action: Option<String>,
/// Output format: `table` (default) or `json`.
#[arg(long, default_value = "table")]
format: String,
},
/// Add an item to a collection in the org vault.
Add {
#[command(subcommand)]
kind: OrgAddKind,
},
/// Print an org item (secrets masked unless --show).
Get {
/// Item id or case-insensitive title substring.
query: String,
#[arg(long)] show: bool,
},
/// List org items visible to you (filtered by your collection grants).
List {
#[arg(long)] trashed: bool,
},
/// Edit an org item's fields (flag-driven; blank flags keep current values).
Edit {
/// Item id or case-insensitive title substring.
query: String,
#[arg(long)] title: Option<String>,
#[arg(long)] username: Option<String>,
#[arg(long)] url: Option<String>,
#[arg(long)] password: Option<String>,
#[arg(long)] body: Option<String>,
#[arg(long)] email: Option<String>,
#[arg(long)] phone: Option<String>,
#[arg(long)] full_name: Option<String>,
},
/// Soft-delete an org item (reversible via `org restore`).
Rm { query: String },
/// Restore a soft-deleted org item.
Restore { query: String },
/// Permanently purge an org item (deletes the encrypted blob).
Purge { query: String },
}
#[derive(clap::Subcommand)]
pub(crate) enum OrgAddKind {
/// A login (username / url / password).
Login {
#[arg(long)] collection: String,
#[arg(long)] title: String,
#[arg(long)] username: Option<String>,
#[arg(long)] url: Option<String>,
#[arg(long)] password: Option<String>,
#[arg(long, value_delimiter = ',')] tags: Vec<String>,
},
/// A secure note.
SecureNote {
#[arg(long)] collection: String,
#[arg(long)] title: String,
#[arg(long)] body: String,
#[arg(long, value_delimiter = ',')] tags: Vec<String>,
},
/// An identity record.
Identity {
#[arg(long)] collection: String,
#[arg(long)] title: String,
#[arg(long)] full_name: Option<String>,
#[arg(long)] email: Option<String>,
#[arg(long)] phone: Option<String>,
#[arg(long, value_delimiter = ',')] tags: Vec<String>,
},
// Admin + item subcommands are added by later tasks (B10-B14).
}
fn main() -> Result<()> {
@@ -612,111 +481,10 @@ fn main() -> Result<()> {
OrgCommands::Init { name } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_init(&d, &name)?;
}
OrgCommands::AddMember { key, name, role } => {
let d = crate::org_session::org_dir(dir_path)?;
let role = parse_org_role(&role)?;
commands::org::run_add_member(&d, &key, &name, role)?;
}
OrgCommands::RemoveMember { member_id } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_remove_member(&d, &member_id)?;
}
OrgCommands::SetRole { member_id, role } => {
let d = crate::org_session::org_dir(dir_path)?;
let role = parse_org_role(&role)?;
commands::org::run_set_role(&d, &member_id, role)?;
}
OrgCommands::CreateCollection { slug, name } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_create_collection(&d, &slug, &name)?;
}
OrgCommands::Grant { member_id, collection } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_grant(&d, &member_id, &collection)?;
}
OrgCommands::Revoke { member_id, collection } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_revoke(&d, &member_id, &collection)?;
}
OrgCommands::RotateKey => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_rotate_key(&d)?;
}
OrgCommands::TransferOwnership { member_id, keep_owner } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_transfer_ownership(&d, &member_id, keep_owner)?;
}
OrgCommands::DeleteOrg { confirm } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_delete_org(&d, confirm)?;
}
OrgCommands::Status => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_status(&d)?;
}
OrgCommands::Audit { since, member, collection, action, format } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_audit(&d, since.as_deref(), member.as_deref(),
collection.as_deref(), action.as_deref(), &format)?;
}
OrgCommands::Add { kind } => {
let d = crate::org_session::org_dir(dir_path)?;
let (collection, add_kind, tags) = match kind {
OrgAddKind::Login { collection, title, username, url, password, tags } => (
collection,
commands::org::OrgAddKind::Login { title, username, url, password },
tags,
),
OrgAddKind::SecureNote { collection, title, body, tags } => (
collection,
commands::org::OrgAddKind::SecureNote { title, body },
tags,
),
OrgAddKind::Identity { collection, title, full_name, email, phone, tags } => (
collection,
commands::org::OrgAddKind::Identity { title, full_name, email, phone },
tags,
),
};
commands::org::run_add(&d, &collection, add_kind, tags)?;
}
OrgCommands::Get { query, show } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_get(&d, &query, show)?;
}
OrgCommands::List { trashed } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_list(&d, trashed)?;
}
OrgCommands::Edit { query, title, username, url, password, body, email, phone, full_name } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_edit(&d, &query, title, username, url, password, body, email, phone, full_name)?;
}
OrgCommands::Rm { query } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_rm(&d, &query)?;
}
OrgCommands::Restore { query } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_restore(&d, &query)?;
}
OrgCommands::Purge { query } => {
let d = crate::org_session::org_dir(dir_path)?;
commands::org::run_purge(&d, &query)?;
}
}
Ok(())
}
}
}
fn parse_org_role(s: &str) -> anyhow::Result<relicario_core::OrgRole> {
match s {
"owner" => Ok(relicario_core::OrgRole::Owner),
"admin" => Ok(relicario_core::OrgRole::Admin),
"member" => Ok(relicario_core::OrgRole::Member),
other => anyhow::bail!("unknown role `{other}` — use owner, admin, or member"),
}
}
}

29
crates/relicario-cli/src/org_session.rs
View File

@@ -39,14 +39,8 @@ impl UnlockedOrgVault {
}
pub fn members_path(&self) -> PathBuf { self.root.join("members.json") }
pub fn collections_path(&self) -> PathBuf { self.root.join("collections.json") }
// OrgMeta accessors — part of the UnlockedOrgVault path/loader API surface
// (parallel to members_path/collections_path + load_members), retained for
// completeness. No command consumes org.json yet; surfacing the org
// name/id in `org status` is a tracked follow-up, so allow until then.
#[allow(dead_code)]
pub fn org_meta_path(&self) -> PathBuf { self.root.join("org.json") }
#[allow(dead_code)]
pub fn load_meta(&self) -> Result<OrgMeta> {
let s = fs::read_to_string(self.org_meta_path()).context("read org.json")?;
Ok(serde_json::from_str(&s).context("parse org.json")?)
@@ -191,7 +185,7 @@ pub fn open_org_vault(dir_flag: Option<&std::path::Path>) -> Result<UnlockedOrgV
fs::read(&key_path).with_context(|| format!("read {}", key_path.display()))?;
// Recover the device ed25519 seed and unwrap.
let seed = crate::device::current_device_seed()?;
let seed = current_device_seed()?;
let org_key = relicario_core::unwrap_org_key(&wrapped, &seed)?;
Ok(UnlockedOrgVault { root, org_key })
@@ -208,6 +202,27 @@ fn current_device_fingerprint() -> Result<String> {
}
/// Recover the active device's ed25519 seed (the 32-byte private scalar source)
/// from its OpenSSH `signing.key`, for ECIES unwrap.
fn current_device_seed() -> Result<Zeroizing<[u8; 32]>> {
let name = crate::device::current_device()?
.ok_or_else(|| anyhow::anyhow!("no active device — run `relicario device add` first"))?;
let key_pem = crate::device::load_signing_key(&name)?;
let private = ssh_key::PrivateKey::from_openssh(key_pem.as_str())
.map_err(|e| anyhow::anyhow!("parse device signing key: {e}"))?;
let ed = private
.key_data()
.ed25519()
.ok_or_else(|| anyhow::anyhow!("device signing key is not ed25519"))?;
// Ed25519PrivateKey derefs to its 32-byte seed.
let seed_bytes: &[u8] = ed.private.as_ref();
if seed_bytes.len() != 32 {
anyhow::bail!("ed25519 seed has wrong length: {}", seed_bytes.len());
}
let mut seed = Zeroizing::new([0u8; 32]);
seed.copy_from_slice(seed_bytes);
Ok(seed)
}
pub(crate) fn atomic_write(path: &Path, data: &[u8]) -> Result<()> {
let mut tmp = path.as_os_str().to_owned();
tmp.push(".tmp");

215
crates/relicario-cli/tests/org_authz.rs
View File

@@ -1,215 +0,0 @@
//! Authorization regression tests for the `relicario org` item commands.
//!
//! These cover two gaps the B9B14 item-CRUD work left open:
//! 1. Grant-DENIAL on the read/mutate-by-query commands (`get`, `edit`, `rm`,
//! `restore`, `purge`). Only `add` had a denial test before this. An
//! ungranted member must be rejected by EVERY one of them, and `get` must
//! not leak the item's plaintext.
//! 2. SecureNote body masking on `org get`, mirroring the Login-password
//! masking already asserted in `org_items.rs`.
//!
//! The multi-member harness mirrors `org_lifecycle.rs`'s `Dev` pattern: each
//! `Dev` is an isolated XDG config home carrying its own ed25519 device key, so
//! a second member can be added with their OWN keypair and then attempt commands
//! against the shared vault.
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
use tempfile::TempDir;
/// A device home (its own XDG config + ed25519 signing key). One `Dev` is the
/// owner; a second `Dev` plays the ungranted member.
struct Dev {
xdg: PathBuf,
_config: TempDir,
}
impl Dev {
/// Generate an OpenSSH ed25519 signing key for `name` and mark it current.
fn new(name: &str) -> Self {
let config = TempDir::new().unwrap();
let xdg = config.path().to_path_buf();
let devices = xdg.join("relicario").join("devices").join(name);
std::fs::create_dir_all(&devices).unwrap();
let keyfile = devices.join("signing.key");
let st = Command::new("ssh-keygen")
.args(["-t", "ed25519", "-N", "", "-C", "relicario-test", "-f"])
.arg(&keyfile)
.stdout(Stdio::null())
.stderr(Stdio::null())
.status()
.expect("ssh-keygen");
assert!(st.success(), "ssh-keygen failed");
std::fs::rename(devices.join("signing.key.pub"), devices.join("signing.pub")).unwrap();
std::fs::write(
xdg.join("relicario").join("devices").join("current"),
format!("{name}\n"),
)
.unwrap();
Dev { xdg, _config: config }
}
/// The OpenSSH public key string for one of this device's keys.
fn pubkey(&self, name: &str) -> String {
std::fs::read_to_string(
self.xdg.join("relicario").join("devices").join(name).join("signing.pub"),
)
.unwrap()
.trim()
.to_string()
}
/// Run `relicario <args>` against `vault` with this device active.
fn run(&self, vault: &Path, args: &[&str]) -> std::process::Output {
let mut cmd = Command::cargo_bin("relicario").unwrap();
cmd.env("XDG_CONFIG_HOME", &self.xdg)
.env("RELICARIO_ORG_DIR", vault)
.args(args)
.stdin(Stdio::null())
.stdout(Stdio::piped())
.stderr(Stdio::piped());
cmd.output().unwrap()
}
}
fn owner_member_id(vault: &Path) -> String {
let s = std::fs::read_to_string(vault.join("members.json")).unwrap();
let v: serde_json::Value = serde_json::from_str(&s).unwrap();
v["members"][0]["member_id"].as_str().unwrap().to_string()
}
/// Look up a member's id by display name (used to find a freshly added member).
fn member_id_by_name(vault: &Path, name: &str) -> String {
let s = std::fs::read_to_string(vault.join("members.json")).unwrap();
let v: serde_json::Value = serde_json::from_str(&s).unwrap();
v["members"]
.as_array()
.unwrap()
.iter()
.find(|m| m["display_name"] == name)
.unwrap_or_else(|| panic!("member `{name}` not found in members.json"))
["member_id"]
.as_str()
.unwrap()
.to_string()
}
use assert_cmd::cargo::CommandCargoExt as _;
#[test]
fn org_get_edit_rm_restore_purge_reject_ungranted_member() {
// Owner inits an org, creates `prod`, grants ONLY the owner, and adds an
// item into `prod`.
let owner_dev = Dev::new("owner-laptop");
let vault_tmp = TempDir::new().unwrap();
let vault = vault_tmp.path();
assert!(owner_dev
.run(vault, &["org", "init", "--dir", vault.to_str().unwrap(), "--name", "Acme"])
.status
.success());
let owner = owner_member_id(vault);
assert!(owner_dev.run(vault, &["org", "create-collection", "prod", "--name", "Prod"]).status.success());
assert!(owner_dev.run(vault, &["org", "grant", &owner, "prod"]).status.success());
assert!(owner_dev
.run(vault, &[
"org", "add", "login", "--collection", "prod",
"--title", "GitHub", "--username", "alice", "--password", "hunter2",
])
.status
.success());
// A SECOND member joins with their OWN device key but is NOT granted `prod`.
let other_dev = Dev::new("other-laptop");
let other_pub = other_dev.pubkey("other-laptop");
assert!(owner_dev
.run(vault, &["org", "add-member", "--key", &other_pub, "--name", "Mallory", "--role", "member"])
.status
.success());
// Sanity: the member exists but holds no collection grants.
let mallory = member_id_by_name(vault, "Mallory");
assert!(!mallory.is_empty());
// EVERY read/mutate-by-query command must be rejected for the ungranted
// member, and `get` must NOT print the plaintext password.
let get = other_dev.run(vault, &["org", "get", "GitHub"]);
let get_out = String::from_utf8_lossy(&get.stdout).to_string();
let get_err = String::from_utf8_lossy(&get.stderr).to_string();
assert!(!get.status.success(), "get must be rejected for ungranted member: {get_out}{get_err}");
assert!(!get_out.contains("hunter2"), "get leaked plaintext to ungranted member: {get_out}");
assert!(!get_out.contains("alice"), "get leaked username to ungranted member: {get_out}");
assert!(
get_err.contains("no item matches") || get_err.contains("access denied"),
"get error should be denial / not-found: {get_err}"
);
// get --show must ALSO be denied and reveal nothing.
let get_show = other_dev.run(vault, &["org", "get", "GitHub", "--show"]);
assert!(!get_show.status.success(), "get --show must be rejected for ungranted member");
assert!(
!String::from_utf8_lossy(&get_show.stdout).contains("hunter2"),
"get --show leaked plaintext to ungranted member"
);
for (label, args) in [
("edit", vec!["org", "edit", "GitHub", "--username", "evil"]),
("rm", vec!["org", "rm", "GitHub"]),
("restore", vec!["org", "restore", "GitHub"]),
("purge", vec!["org", "purge", "GitHub"]),
] {
let out = other_dev.run(vault, &args);
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
assert!(
!out.status.success(),
"`org {label}` must be rejected for ungranted member; stderr: {stderr}"
);
assert!(
stderr.contains("no item matches") || stderr.contains("access denied"),
"`org {label}` error should be denial / not-found: {stderr}"
);
}
// The item is untouched: the owner can still read the original password and
// the username was NOT changed to the ungranted member's "evil" attempt.
let owner_get = owner_dev.run(vault, &["org", "get", "GitHub", "--show"]);
let owner_out = String::from_utf8_lossy(&owner_get.stdout).to_string();
assert!(owner_get.status.success(), "owner should still read the item");
assert!(owner_out.contains("hunter2"), "owner read must still show original password: {owner_out}");
assert!(owner_out.contains("alice"), "edit by ungranted member must not have changed username: {owner_out}");
assert!(!owner_out.contains("evil"), "ungranted edit leaked through: {owner_out}");
}
#[test]
fn org_get_masks_secure_note_body_until_show() {
let owner_dev = Dev::new("owner-laptop");
let vault_tmp = TempDir::new().unwrap();
let vault = vault_tmp.path();
assert!(owner_dev
.run(vault, &["org", "init", "--dir", vault.to_str().unwrap(), "--name", "Acme"])
.status
.success());
let owner = owner_member_id(vault);
assert!(owner_dev.run(vault, &["org", "create-collection", "prod", "--name", "Prod"]).status.success());
assert!(owner_dev.run(vault, &["org", "grant", &owner, "prod"]).status.success());
assert!(owner_dev
.run(vault, &[
"org", "add", "secure-note", "--collection", "prod",
"--title", "Recovery", "--body", "super-secret-body",
])
.status
.success());
// Default get masks the body and never prints the plaintext.
let masked = owner_dev.run(vault, &["org", "get", "Recovery"]);
assert!(masked.status.success(), "get: {}", String::from_utf8_lossy(&masked.stderr));
let masked_out = String::from_utf8_lossy(&masked.stdout).to_string();
assert!(masked_out.contains("********"), "expected masked body: {masked_out}");
assert!(!masked_out.contains("super-secret-body"), "masked get leaked the body: {masked_out}");
// get --show reveals the body.
let shown = owner_dev.run(vault, &["org", "get", "Recovery", "--show"]);
assert!(shown.status.success(), "get --show: {}", String::from_utf8_lossy(&shown.stderr));
let shown_out = String::from_utf8_lossy(&shown.stdout).to_string();
assert!(shown_out.contains("super-secret-body"), "expected plaintext body with --show: {shown_out}");
}

4
crates/relicario-cli/tests/org_init_signing.rs
View File

@@ -3,10 +3,6 @@ use std::path::Path;
use std::process::Command;
use tempfile::TempDir;
// Base runner kept as the documented counterpart to relicario_with_git_identity
// below (every test in this file needs the git identity, so only the _with_
// variant is currently called).
#[allow(dead_code)]
fn relicario(config_home: &Path, args: &[&str]) -> std::process::Output {
Command::new(env!("CARGO_BIN_EXE_relicario"))
.env("XDG_CONFIG_HOME", config_home)

217
crates/relicario-cli/tests/org_items.rs
View File

@@ -1,217 +0,0 @@
use assert_cmd::cargo::CommandCargoExt as _;
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
use tempfile::TempDir;
/// A throwaway org vault with a device signing key wired via XDG_CONFIG_HOME.
struct OrgFixture {
_config: TempDir,
vault: TempDir,
xdg: PathBuf,
}
impl OrgFixture {
/// Generate an ed25519 signing key in OpenSSH format using ssh-keygen and
/// register it as the current device, then `org init`.
fn new() -> Self {
let config = TempDir::new().unwrap();
let xdg = config.path().to_path_buf();
let devices = xdg.join("relicario").join("devices").join("laptop");
std::fs::create_dir_all(&devices).unwrap();
// Generate an OpenSSH ed25519 keypair without a passphrase.
let keyfile = devices.join("signing.key");
let status = Command::new("ssh-keygen")
.args(["-t", "ed25519", "-N", "", "-C", "relicario-test", "-f"])
.arg(&keyfile)
.stdout(Stdio::null())
.stderr(Stdio::null())
.status()
.expect("ssh-keygen");
assert!(status.success(), "ssh-keygen failed");
// ssh-keygen writes signing.key + signing.key.pub; rename the .pub to signing.pub.
std::fs::rename(devices.join("signing.key.pub"), devices.join("signing.pub")).unwrap();
// Mark this device current.
std::fs::write(
xdg.join("relicario").join("devices").join("current"),
"laptop\n",
)
.unwrap();
let vault = TempDir::new().unwrap();
let f = OrgFixture { _config: config, vault, xdg };
let out = f.run(&["org", "init", "--dir", f.vault_str(), "--name", "Acme"]);
assert!(out.status.success(), "org init failed: {}", String::from_utf8_lossy(&out.stderr));
f
}
fn vault_path(&self) -> &Path { self.vault.path() }
fn vault_str(&self) -> &str { self.vault.path().to_str().unwrap() }
fn run(&self, args: &[&str]) -> std::process::Output {
let mut cmd = Command::cargo_bin("relicario").unwrap();
cmd.env("XDG_CONFIG_HOME", &self.xdg)
.env("RELICARIO_ORG_DIR", self.vault.path())
.args(args)
.stdin(Stdio::null())
.stdout(Stdio::piped())
.stderr(Stdio::piped());
cmd.output().unwrap()
}
/// Owner member id printed by `org init`/`org status`. We read it from
/// members.json directly to avoid parsing stdout.
fn owner_member_id(&self) -> String {
let s = std::fs::read_to_string(self.vault.path().join("members.json")).unwrap();
let v: serde_json::Value = serde_json::from_str(&s).unwrap();
v["members"][0]["member_id"].as_str().unwrap().to_string()
}
}
#[test]
fn org_add_get_list_round_trip() {
let f = OrgFixture::new();
let owner = f.owner_member_id();
// Create a collection and grant the owner access to it.
let out = f.run(&["org", "create-collection", "prod", "--name", "Production"]);
assert!(out.status.success(), "create-collection: {}", String::from_utf8_lossy(&out.stderr));
let out = f.run(&["org", "grant", &owner, "prod"]);
assert!(out.status.success(), "grant: {}", String::from_utf8_lossy(&out.stderr));
// Add a login into the prod collection.
let out = f.run(&[
"org", "add", "login", "--collection", "prod",
"--title", "GitHub", "--username", "alice",
"--url", "https://github.com", "--password", "hunter2",
]);
assert!(out.status.success(), "org add: {}", String::from_utf8_lossy(&out.stderr));
// The blob must live under items/prod/, NOT flat items/.
let prod_dir = f.vault_path().join("items").join("prod");
let blobs: Vec<_> = std::fs::read_dir(&prod_dir).unwrap().collect();
assert_eq!(blobs.len(), 1, "expected one blob under items/prod/");
// list shows it.
let out = f.run(&["org", "list"]);
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
assert!(stdout.contains("GitHub"), "list missing GitHub: {stdout}");
// get masks by default.
let out = f.run(&["org", "get", "GitHub"]);
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
assert!(stdout.contains("********"), "expected masked secret: {stdout}");
assert!(!stdout.contains("hunter2"), "leaked plaintext: {stdout}");
// get --show reveals.
let out = f.run(&["org", "get", "GitHub", "--show"]);
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
assert!(stdout.contains("hunter2"), "expected plaintext with --show: {stdout}");
// The commit trailer records the action + collection + item.
let log = Command::new("git")
.args(["-C", f.vault_str(), "log", "-1", "--format=%B"])
.output()
.unwrap();
let body = String::from_utf8_lossy(&log.stdout).to_string();
assert!(body.contains("Relicario-Action: item-create"), "missing action trailer: {body}");
assert!(body.contains("Relicario-Collection: prod"), "missing collection trailer: {body}");
assert!(body.contains("Relicario-Item: "), "missing item trailer: {body}");
}
#[test]
fn org_add_rejects_ungranted_collection() {
let f = OrgFixture::new();
// Create the collection but do NOT grant the owner.
let out = f.run(&["org", "create-collection", "secret", "--name", "Secret"]);
assert!(out.status.success(), "create-collection: {}", String::from_utf8_lossy(&out.stderr));
let out = f.run(&[
"org", "add", "login", "--collection", "secret",
"--title", "X", "--username", "u", "--password", "p",
]);
assert!(!out.status.success(), "add into ungranted collection must fail");
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
assert!(stderr.contains("access denied") || stderr.contains("grant"), "unexpected error: {stderr}");
}
#[test]
fn org_add_rejects_unknown_collection() {
let f = OrgFixture::new();
let out = f.run(&[
"org", "add", "login", "--collection", "ghost",
"--title", "X", "--username", "u", "--password", "p",
]);
assert!(!out.status.success(), "add into nonexistent collection must fail");
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
assert!(stderr.contains("does not exist") || stderr.contains("ghost"), "unexpected error: {stderr}");
}
#[test]
fn org_edit_updates_fields_and_commits_update_trailer() {
let f = OrgFixture::new();
let owner = f.owner_member_id();
assert!(f.run(&["org", "create-collection", "prod", "--name", "Production"]).status.success());
assert!(f.run(&["org", "grant", &owner, "prod"]).status.success());
assert!(f.run(&[
"org", "add", "login", "--collection", "prod",
"--title", "Mail", "--username", "old", "--password", "pw",
]).status.success());
// Edit the username.
let out = f.run(&[
"org", "edit", "Mail", "--username", "new-user",
]);
assert!(out.status.success(), "org edit: {}", String::from_utf8_lossy(&out.stderr));
// get --show reflects the new username.
let out = f.run(&["org", "get", "Mail", "--show"]);
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
assert!(stdout.contains("new-user"), "edit did not take: {stdout}");
let log = Command::new("git")
.args(["-C", f.vault_str(), "log", "-1", "--format=%B"])
.output().unwrap();
let body = String::from_utf8_lossy(&log.stdout).to_string();
assert!(body.contains("Relicario-Action: item-update"), "missing update trailer: {body}");
assert!(body.contains("Relicario-Collection: prod"), "missing collection trailer: {body}");
}
#[test]
fn org_rm_restore_purge_cycle() {
let f = OrgFixture::new();
let owner = f.owner_member_id();
assert!(f.run(&["org", "create-collection", "prod", "--name", "Production"]).status.success());
assert!(f.run(&["org", "grant", &owner, "prod"]).status.success());
assert!(f.run(&[
"org", "add", "secure-note", "--collection", "prod",
"--title", "Recovery", "--body", "codes-here",
]).status.success());
// rm → appears only with --trashed.
assert!(f.run(&["org", "rm", "Recovery"]).status.success());
let listed = String::from_utf8_lossy(&f.run(&["org", "list"]).stdout).to_string();
assert!(!listed.contains("Recovery"), "trashed item still in default list: {listed}");
let trashed = String::from_utf8_lossy(&f.run(&["org", "list", "--trashed"]).stdout).to_string();
assert!(trashed.contains("Recovery"), "trashed item not in --trashed list: {trashed}");
// restore → back in default list.
assert!(f.run(&["org", "restore", "Recovery"]).status.success());
let listed = String::from_utf8_lossy(&f.run(&["org", "list"]).stdout).to_string();
assert!(listed.contains("Recovery"), "restore did not bring it back: {listed}");
// purge → blob gone, entry gone, item-purge trailer.
assert!(f.run(&["org", "purge", "Recovery"]).status.success());
let prod_dir = f.vault_path().join("items").join("prod");
let count = std::fs::read_dir(&prod_dir).map(|d| d.count()).unwrap_or(0);
assert_eq!(count, 0, "blob not purged from items/prod/");
let listed = String::from_utf8_lossy(&f.run(&["org", "list", "--trashed"]).stdout).to_string();
assert!(!listed.contains("Recovery"), "purged item still listed: {listed}");
let log = Command::new("git")
.args(["-C", f.vault_str(), "log", "-1", "--format=%B"])
.output().unwrap();
let body = String::from_utf8_lossy(&log.stdout).to_string();
assert!(body.contains("Relicario-Action: item-purge"), "missing purge trailer: {body}");
}

206
crates/relicario-cli/tests/org_lifecycle.rs
View File

@@ -1,206 +0,0 @@
use assert_cmd::cargo::CommandCargoExt as _;
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
use tempfile::TempDir;
/// A device home + an org vault. A second device can be wired for multi-member.
struct Dev {
xdg: PathBuf,
_config: TempDir,
}
impl Dev {
fn new(name: &str) -> Self {
let config = TempDir::new().unwrap();
let xdg = config.path().to_path_buf();
let devices = xdg.join("relicario").join("devices").join(name);
std::fs::create_dir_all(&devices).unwrap();
let keyfile = devices.join("signing.key");
let st = Command::new("ssh-keygen")
.args(["-t", "ed25519", "-N", "", "-C", "relicario-test", "-f"])
.arg(&keyfile)
.stdout(Stdio::null()).stderr(Stdio::null())
.status().expect("ssh-keygen");
assert!(st.success());
std::fs::rename(devices.join("signing.key.pub"), devices.join("signing.pub")).unwrap();
std::fs::write(xdg.join("relicario").join("devices").join("current"), format!("{name}\n")).unwrap();
Dev { xdg, _config: config }
}
fn pubkey(&self, name: &str) -> String {
std::fs::read_to_string(
self.xdg.join("relicario").join("devices").join(name).join("signing.pub"),
).unwrap().trim().to_string()
}
fn run(&self, vault: &Path, args: &[&str]) -> std::process::Output {
let mut cmd = Command::cargo_bin("relicario").unwrap();
cmd.env("XDG_CONFIG_HOME", &self.xdg)
.env("RELICARIO_ORG_DIR", vault)
.args(args)
.stdin(Stdio::null()).stdout(Stdio::piped()).stderr(Stdio::piped());
cmd.output().unwrap()
}
}
fn owner_member_id(vault: &Path) -> String {
let s = std::fs::read_to_string(vault.join("members.json")).unwrap();
let v: serde_json::Value = serde_json::from_str(&s).unwrap();
v["members"][0]["member_id"].as_str().unwrap().to_string()
}
/// Set up an org with the owner granted `prod` and one login item in it.
fn setup_with_item() -> (Dev, TempDir, String) {
let dev = Dev::new("laptop");
let vault = TempDir::new().unwrap();
let v = vault.path();
assert!(dev.run(v, &["org", "init", "--dir", v.to_str().unwrap(), "--name", "Acme"]).status.success());
let owner = owner_member_id(v);
assert!(dev.run(v, &["org", "create-collection", "prod", "--name", "Prod"]).status.success());
assert!(dev.run(v, &["org", "grant", &owner, "prod"]).status.success());
assert!(dev.run(v, &[
"org", "add", "login", "--collection", "prod",
"--title", "GitHub", "--username", "alice", "--password", "hunter2",
]).status.success());
(dev, vault, owner)
}
// (b) audit --format json parses + has expected actions.
#[test]
fn audit_format_json_is_valid_and_has_actions() {
let (dev, vault, _owner) = setup_with_item();
let out = dev.run(vault.path(), &["org", "audit", "--format", "json"]);
assert!(out.status.success(), "audit json: {}", String::from_utf8_lossy(&out.stderr));
let stdout = String::from_utf8_lossy(&out.stdout);
let events: serde_json::Value = serde_json::from_str(&stdout).expect("audit json must parse");
let arr = events.as_array().expect("array");
let actions: Vec<&str> = arr.iter()
.filter_map(|e| e["action"].as_str())
.collect();
assert!(actions.contains(&"org-init"), "actions: {actions:?}");
assert!(actions.contains(&"collection-create"), "actions: {actions:?}");
assert!(actions.contains(&"item-create"), "actions: {actions:?}");
// Honest signer attribution: none of these should be TAMPERED (signer == trailer).
assert!(arr.iter().all(|e| e["tampered"] == serde_json::Value::Bool(false)));
}
// (a) a forged-trailer commit is flagged TAMPERED.
#[test]
fn forged_trailer_commit_is_flagged_tampered() {
let (dev, vault, owner) = setup_with_item();
let v = vault.path();
// Hand-craft a SIGNED commit whose trailer CLAIMS a different actor id than
// the real signer. We reuse the org repo's own signing config (set by
// `org init`), so the commit verifies — but the trailer lies.
std::fs::write(v.join("decoy.txt"), "x").unwrap();
let git = |args: &[&str]| {
Command::new("git").current_dir(v).args(args)
.env("XDG_CONFIG_HOME", &dev.xdg)
.output().unwrap()
};
assert!(git(&["add", "decoy.txt"]).status.success());
let forged_msg = format!(
"forged\n\nRelicario-Actor: impostor ffffffffffffffff\nRelicario-Action: item-update\nRelicario-Member: {owner}"
);
// commit -S uses the repo's configured signing key (the real owner key).
let c = git(&["commit", "-S", "-m", &forged_msg]);
assert!(c.status.success(), "forged commit: {}", String::from_utf8_lossy(&c.stderr));
let out = dev.run(v, &["org", "audit", "--format", "json"]);
let events: serde_json::Value =
serde_json::from_str(&String::from_utf8_lossy(&out.stdout)).unwrap();
let forged = events.as_array().unwrap().iter()
.find(|e| e["action"] == "item-update")
.expect("forged item-update event present");
// Trailer claims ffff... but the verified signer is the owner → TAMPERED.
assert_eq!(forged["tampered"], serde_json::Value::Bool(true));
assert_eq!(forged["actor_id"].as_str(), Some(owner.as_str()));
}
// (c) concurrent rotate-key aborts with the exact spec error string.
#[test]
fn concurrent_rotate_key_aborts_with_spec_string() {
let (dev, vault, _owner) = setup_with_item();
let origin = TempDir::new().unwrap();
let v = vault.path();
let git = |args: &[&str]| Command::new("git").current_dir(v).args(args)
.env("XDG_CONFIG_HOME", &dev.xdg).output().unwrap();
// Make a bare origin and push, so a divergent upstream can be simulated.
assert!(Command::new("git").args(["init", "--bare", origin.path().to_str().unwrap()])
.output().unwrap().status.success());
assert!(git(&["remote", "add", "origin", origin.path().to_str().unwrap()]).status.success());
assert!(git(&["push", "-u", "origin", "HEAD"]).status.success());
// Diverge upstream: a second clone commits + pushes, writing to a SHARED file
// so that `git pull --rebase` will hit a merge conflict (add/add or edit/edit)
// and exit non-zero — which is how run_rotate_key detects a concurrent rotation.
let clone2 = TempDir::new().unwrap();
assert!(Command::new("git")
.args(["clone", origin.path().to_str().unwrap(), clone2.path().to_str().unwrap()])
.output().unwrap().status.success());
std::fs::write(clone2.path().join("conflict.txt"), "upstream-version").unwrap();
for a in [&["add", "conflict.txt"][..], &["-c", "user.email=u@u", "-c", "user.name=u", "commit", "-m", "upstream"][..], &["push", "origin", "HEAD:master"][..], &["push", "origin", "HEAD:main"][..]] {
let _ = Command::new("git").current_dir(clone2.path()).args(a).output();
}
// Local also writes conflict.txt with different content → add/add conflict on pull.
std::fs::write(v.join("conflict.txt"), "local-version").unwrap();
assert!(git(&["add", "conflict.txt"]).status.success());
assert!(git(&["-c", "commit.gpgsign=false", "commit", "-m", "local"]).status.success());
let out = dev.run(v, &["org", "rotate-key"]);
let stderr = String::from_utf8_lossy(&out.stderr);
assert!(!out.status.success(), "rotate-key should abort on a concurrent rotation");
assert!(
stderr.contains("Concurrent key rotation detected — pull and re-run org rotate-key."),
"missing spec error string: {stderr}"
);
}
// (d) remove-member → rotate-key → old clone cannot decrypt; remaining member can.
#[test]
fn removed_member_clone_cannot_decrypt_after_rotation() {
// Owner laptop sets up the org + a second member "bob".
let (owner_dev, vault, _owner) = setup_with_item();
let v = vault.path();
let bob = Dev::new("bob-laptop");
let bob_pub = bob.pubkey("bob-laptop");
// Owner adds Bob and grants him prod.
assert!(owner_dev.run(v, &["org", "add-member", "--key", &bob_pub, "--name", "Bob", "--role", "member"]).status.success());
let members = std::fs::read_to_string(v.join("members.json")).unwrap();
let mv: serde_json::Value = serde_json::from_str(&members).unwrap();
let bob_id = mv["members"].as_array().unwrap().iter()
.find(|m| m["display_name"] == "Bob").unwrap()["member_id"].as_str().unwrap().to_string();
assert!(owner_dev.run(v, &["org", "grant", &bob_id, "prod"]).status.success());
// Bob clones the vault dir (his device, his key blob is present).
// `cp -r /vault /dst/` places contents at `/dst/<vault_basename>/` — use that
// sub-path, not the TempDir root, as the vault for Bob's commands.
let bob_clone = TempDir::new().unwrap();
let vault_basename = v.file_name().unwrap();
let cp = Command::new("cp").args(["-r", v.to_str().unwrap(), bob_clone.path().to_str().unwrap()]).output().unwrap();
assert!(cp.status.success());
let bob_vault = bob_clone.path().join(vault_basename);
// Bob can read the item BEFORE removal.
let pre = bob.run(&bob_vault, &["org", "get", "GitHub", "--show"]);
assert!(String::from_utf8_lossy(&pre.stdout).contains("hunter2"), "bob should read pre-removal");
// Owner removes Bob and rotates the key in the live vault.
assert!(owner_dev.run(v, &["org", "remove-member", &bob_id]).status.success());
assert!(owner_dev.run(v, &["org", "rotate-key"]).status.success());
// Owner (remaining member) can still decrypt in the live vault.
let owner_get = owner_dev.run(v, &["org", "get", "GitHub", "--show"]);
assert!(String::from_utf8_lossy(&owner_get.stdout).contains("hunter2"), "owner must still read");
// Copy the rotated item + manifest into Bob's stale clone (simulating a
// pull) — his OLD key blob can no longer unwrap the rotated org key.
let _ = Command::new("cp").args(["-r",
v.join("items").to_str().unwrap(), bob_vault.to_str().unwrap()]).output();
let _ = std::fs::copy(v.join("manifest.enc"), bob_vault.join("manifest.enc"));
let post = bob.run(&bob_vault, &["org", "get", "GitHub", "--show"]);
assert!(!post.status.success() || !String::from_utf8_lossy(&post.stdout).contains("hunter2"),
"removed member must NOT decrypt post-rotation: {}", String::from_utf8_lossy(&post.stdout));
}

2
crates/relicario-core/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "relicario-core"
version = "0.8.0"
version = "0.7.0"
edition = "2021"
description = "Core library for relicario password manager"
license = "GPL-3.0-or-later"

2
crates/relicario-wasm/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "relicario-wasm"
version = "0.8.0"
version = "0.7.0"
edition = "2021"
description = "WASM bindings for relicario password manager"
license = "GPL-3.0-or-later"

2
docs/CRYPTO.md
View File

@@ -272,7 +272,7 @@ a local clone of the repo cannot decrypt any item written after the rotation, be
those blobs are sealed under a key they never received. Without re-encryption, all
pre-rotation blobs would remain readable to the former member indefinitely.
The item-CRUD commands (`org add`/`get`/`list`/`edit`/`rm`/`restore`/`purge`) that read and write these blobs are merged and wired into `main.rs`; each operates under the org master key recovered by `unwrap_org_key`.
> **TODO (pending Dev-B B9B14):** item-CRUD commands (`org add`/`get`/`list`/`edit`/`rm`/`restore`/`purge`) and the final `Commands::Org` wiring in `main.rs` are not yet merged.
## imgsecret DCT Embedding

4
docs/FORMATS.md
View File

@@ -121,9 +121,9 @@ Contrast with the personal vault manifest: `Manifest` uses `MANIFEST_SCHEMA_VERS
Standard `.enc` blob (see **Encrypted blob** above), encrypted under the org master key. The blob itself does **not** name its collection — the directory path segment carries the slug. This allows the pre-receive hook (`relicario-server`) to authorize a write by path segment without decrypting the blob.
These blobs are written and read by the `relicario org` item commands (`org add` / `get` / `list` / `edit` / `rm` / `restore` / `purge`), all collection-scoped and grant-enforced. `org add` currently creates Login / SecureNote / Identity items; `get` / `list` display any item type present.
**TODO (pending Dev-B B9B14):** CLI commands for creating, reading, editing, and deleting org items (`org add` / `get` / `list` / `edit` / `rm` / `restore` / `purge`) are not yet wired in `main.rs`.
**TODO (extension follow-up):** extension UI for browsing and editing org vault items. **Deferred:** `org add` / `edit` parity for Card / Key / Document / Totp item types.
**TODO (extension follow-up):** extension UI for browsing and editing org vault items.
## Item IDs and Field IDs

8
docs/SECURITY.md
View File

@@ -154,13 +154,13 @@ the cryptographically verified signer.
Actions live in two groups:
- **Membership / collections / lifecycle:** `member-add`, `member-remove`,
- **Live (merged A + C streams):** `member-add`, `member-remove`,
`member-role-change`, `collection-create`, `collection-grant`,
`collection-revoke`, `key-rotate`, `org-init`, `ownership-transfer`,
`org-delete`.
- **Item CRUD:** `item-create`, `item-update`, `item-delete` (soft-delete /
trash), `item-restore`, `item-purge` — emitted by the `org add` / `edit` /
`rm` / `restore` / `purge` commands.
- **TODO (pending Dev-B B9B13):** `item-create`, `item-update`,
`item-delete`, `item-restore`, `item-purge` the emitter code lands with
the item-CRUD command stream.
### Honest limitations