alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

v0.5.0 Plan B: extension UX polish + bug fixes #1

Closed
alee wants to merge 0 commits from feature/v0.5.0-plan-b-extension-ux into main
pull from: feature/v0.5.0-plan-b-extension-ux
merge into: alee:main
Conversation 0 Commits - Files Changed -
alee commented 2026-05-02 23:28:03 +00:00
Owner
Copy Link

Summary

Implements Plan B for v0.5.0 polish + harden:

  • P4: Centralized ERROR_COPY map — every snake_case error code returned by the service worker router now maps to a friendly title/body/CTA. The popup's humanizeError regex chain and the fullscreen tab's raw state.error renders both replaced. A generated test discovers codes via live grep so the registry can't drift. (Closes B2.)
  • B1: Strength-meter regenerate desync fix — dispatch synthetic InputEvent('input', { bubbles: true }) after programmatic input.value assignment so the meter re-rates the new password.
  • P1: Password coloring — colorizePassword() pure utility splits passwords into character-class runs (digit/symbol/letter), with CSS custom-property defaults and a chrome.storage.sync-backed color scheme. Applied to field-history viewer, popup item-detail, fullscreen item-detail (shared code path), and generator preview. Boot-time applyColorScheme() wired to both popup and vault. Settings Display section with live swatch and reset.
  • P3: Form-layout envelope constraint (Approach A) — lower form sections (notes, custom-fields disclosure, attachments, form-actions) in the fullscreen login form now sit inside a .form-lower wrapper with the same max-width: 960px; margin: 0 auto envelope as .form-grid. Popup unchanged (gated on surface === 'fullscreen').
  • P2: Setup wizard → fullscreen vault tab handoff — finishSetup() opens vault.html in a new tab and best-effort closes the setup tab after successful device registration.

Spec: docs/superpowers/specs/2026-05-02-v0.5.0-polish-harden-design.md
Plan: docs/superpowers/plans/2026-05-02-v0.5.0-plan-b-extension-ux.md

Test plan

  • npx vitest run — 336 passed, 8 known pre-existing failures (all device-related)
  • npm run build — webpack compiled (pre-existing WASM module errors in service-worker, unrelated to this work)
  • cargo build -p relicario-wasm --target wasm32-unknown-unknown — clean
  • Manual viewport sweep at 1920×1080, 1440×900, 1024×768, 768×1024 (requires loaded extension in Chrome)
  • Manual setup-flow smoke — vault tab opens, setup closes (requires loaded extension in Chrome)
  • PM review

Viewport sweep notes

Manual viewport sweep requires loading the built extension in Chrome with a configured vault. Recommend PM/reviewer to verify P3 form layout visually.

P2 smoke note

Setup → vault tab handoff requires a Gitea instance for the full flow. Core logic verified by Vitest (chrome.tabs.create called with vault.html; tab-close failure is swallowed).

## Summary Implements Plan B for v0.5.0 polish + harden: - **P4**: Centralized `ERROR_COPY` map — every snake_case error code returned by the service worker router now maps to a friendly title/body/CTA. The popup's `humanizeError` regex chain and the fullscreen tab's raw `state.error` renders both replaced. A generated test discovers codes via live grep so the registry can't drift. (Closes B2.) - **B1**: Strength-meter regenerate desync fix — dispatch synthetic `InputEvent('input', { bubbles: true })` after programmatic `input.value` assignment so the meter re-rates the new password. - **P1**: Password coloring — `colorizePassword()` pure utility splits passwords into character-class runs (digit/symbol/letter), with CSS custom-property defaults and a `chrome.storage.sync`-backed color scheme. Applied to field-history viewer, popup item-detail, fullscreen item-detail (shared code path), and generator preview. Boot-time `applyColorScheme()` wired to both popup and vault. Settings Display section with live swatch and reset. - **P3**: Form-layout envelope constraint (Approach A) — lower form sections (notes, custom-fields disclosure, attachments, form-actions) in the fullscreen login form now sit inside a `.form-lower` wrapper with the same `max-width: 960px; margin: 0 auto` envelope as `.form-grid`. Popup unchanged (gated on `surface === 'fullscreen'`). - **P2**: Setup wizard → fullscreen vault tab handoff — `finishSetup()` opens `vault.html` in a new tab and best-effort closes the setup tab after successful device registration. Spec: `docs/superpowers/specs/2026-05-02-v0.5.0-polish-harden-design.md` Plan: `docs/superpowers/plans/2026-05-02-v0.5.0-plan-b-extension-ux.md` ## Test plan - [x] `npx vitest run` — 336 passed, 8 known pre-existing failures (all device-related) - [x] `npm run build` — webpack compiled (pre-existing WASM module errors in service-worker, unrelated to this work) - [x] `cargo build -p relicario-wasm --target wasm32-unknown-unknown` — clean - [ ] Manual viewport sweep at 1920×1080, 1440×900, 1024×768, 768×1024 (requires loaded extension in Chrome) - [ ] Manual setup-flow smoke — vault tab opens, setup closes (requires loaded extension in Chrome) - [ ] PM review ### Viewport sweep notes Manual viewport sweep requires loading the built extension in Chrome with a configured vault. Recommend PM/reviewer to verify P3 form layout visually. ### P2 smoke note Setup → vault tab handoff requires a Gitea instance for the full flow. Core logic verified by Vitest (`chrome.tabs.create` called with `vault.html`; tab-close failure is swallowed).
alee added 57 commits 2026-05-02 23:28:04 +00:00
docs: add security audits and Plan 4 for blocker fixes 71d51c0bea 
- 2026-04-18 initial audit verification (all fixed except H8)
- 2026-05-01 audit with 8 new findings (B1-B4, I1-I6)
- Plan 4: Security Blocker Fixes implementation plan

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add device authentication design spec 3d3e9ac7f2 
Real device auth replacing the security-theater implementation:
- Signing keys (ed25519) for commit signatures
- Deploy keys managed via Gitea API
- Server-side pre-receive hook enforcement
- CLI and extension feature parity
- Instant revocation (signing + push access)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add Plan 4 — Security Fixes + Device Authentication 27c4ac69cb 
Phase A: 8 security fixes (B2-B4, I1-I6)
Phase B: 10 tasks for real device authentication
- ed25519 signing keys with git SSH signing
- Deploy keys managed via Gitea API
- Pre-receive hook for server-side enforcement
- WASM API that keeps private keys internal

Total: 18 tasks

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(core): NFC normalize backup passphrase (audit B2) bbdbcca87b 
Backup KDF was passing raw passphrase bytes to Argon2id without NFC
normalization, causing cross-platform restore failures for non-ASCII
passphrases (macOS NFD vs Linux NFC).

Now matches derive_master_key behavior from crypto.rs.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(core): expand AttachmentId to 128 bits, add is_valid (audit I2, B4) 466efe4b8a 
- AttachmentId now uses 16 bytes of SHA-256 (128 bits) instead of 8,
  requiring ~2^64 work for birthday collision instead of ~2^32.
- Added is_valid() to ItemId and AttachmentId for path traversal
  prevention during backup restore.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(core): disable HOTP with clear error (audit I6) 628e2bd636 
HOTP requires incrementing and persisting the counter after each use.
Without vault-save machinery in compute_totp_code, HOTP would desync
immediately. Now returns HotpNotSupported error.

TOTP and Steam codes continue to work.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(cli): gate test env vars with #[cfg(debug_assertions)] (audit B3) 2739eb4194 
RELICARIO_TEST_PASSPHRASE and friends were checked in production code,
exposing the passphrase via /proc/<pid>/environ and shell history.

Now only compiled into debug binaries via cfg(debug_assertions) helper
functions. Release builds compile the helpers to return None, so the
env var names are absent from the release binary (verified via strings).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(cli): validate IDs on backup restore (audit B4) 81f1f8ec31 
Crafted .relbak files with IDs like "../../.bashrc" could escape the
target directory. Now validates that item/attachment IDs are hex-only
via is_valid() before any fs::write.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(cli): sanitize item titles in commit messages (audit I1) d6703be2b1 
Control characters (newlines, tabs) in item titles corrupted git log
output. Now strips control chars and truncates to 50 chars.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(cli): enforce per-vault attachment bytes cap (audit I3) b9f44a3d4f 
per_vault_soft_cap_bytes and per_vault_hard_cap_bytes were defined in
VaultSettings but never checked. Now enforced in cmd_attach with
warning at soft cap, error at hard cap.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: document manifest integrity model (audit I4) 8e26c8708b 
Clarifies what AEAD protects (tampering) vs. what it doesn't (deletion,
rollback). Documents that git history is the audit trail and device
authentication is the mitigation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(core): add device module with ed25519 signing dc683c7e4c 
OpenSSH-format keypair generation, signing, and verification.
Foundation for device authentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(cli): add Gitea API client for deploy keys 7e07d5d664 
Create, delete, and list deploy keys via Gitea REST API.
Foundation for device authentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(server): add relicario-server for pre-receive hook 61f2f9c18f 
- verify-commit command checks signature against devices.json
- generate-hook outputs installable pre-receive script
- Foundation for server-side enforcement

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(cli): implement device add with signing + deploy key b1f9f2fbfc 
- Create crates/relicario-cli/src/device.rs: local key storage under
  ~/.config/relicario/devices/<name>/, current-device tracking, and
  git signing config (gpg.format=ssh, user.signingkey, core.sshCommand)
- Add Device command to CLI with add/revoke/list subcommands
- cmd_device add: generates two ed25519 keypairs (signing + deploy),
  registers deploy key via Gitea API, stores keys at 0600, configures
  git SSH signing, updates .relicario/devices.json and commits
- Gitea config read from flags or RELICARIO_GITEA_{URL,TOKEN,OWNER,REPO}
- --no-gitea flag skips API registration for non-Gitea remotes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(cli): implement device revoke 15d691abb2 
- Remove device from devices.json
- Append to revoked.json with timestamp and revoked_by
- Delete Gitea deploy key (best-effort, warns if env vars missing)
- Always commit both devices.json and revoked.json together
- Print revoked signing public key for audit confirmation
- Guard against revoking the current device (would lose push access)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(extension): update wasm.d.ts for secure device API 9845febb74 
New WASM bindings that keep private keys internal.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(extension): update devices.ts for revoked.json + deploy keys 520f6ec72c 
- Add createDeployKey/deleteDeployKey to GiteaHost
- Add RevokedEntry interface and readRevoked() to devices.ts
- Update revokeDevice() to write revoked.json alongside devices.json
- Update router to use new register_device WASM API (private keys internal)
- Pass revokedBy device name when revoking

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(wasm): secure device API (private keys never cross to JS) fb1f28161c 
- register_device() generates signing + deploy keypairs via core device
  module, stores them in DEVICE_STATE (once_cell Lazy<Mutex>), and
  returns only public keys to JS
- sign_for_git() signs data using the internal signing key
- get_device_info() returns name and public keys; returns null if not
  registered
- clear_device() zeroes and drops device state (logout / re-registration)
- Removed generate_device_keypair() which exposed raw private key bytes

Fixes audit I5: private key material no longer crosses the WASM boundary.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(extension): update devices UI for new auth model c67d484152 
- Show revoked devices in collapsible section with strikethrough styling
- Fetch revoked.json via new list_revoked message + router case
- Registration flow uses register_device WASM API (private keys internal)
- Display revoked_by and timestamp for each revoked entry
- Update setup wizard to use new register_device API

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merge feature/plan-4-security-fixes: security fixes + device authentication b1af0a11bc
docs(spec): Phase 2B form layout (fullscreen login) 8bf21501a5 
Two-column CSS Grid for login forms, sticky save bar, and dirty-state
header subtitle. Other item types stay single-column with the polish
applied. Stacks to single column at <=720px viewport.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(ext): capitalize Relicario in Firefox manifest, bump to 0.2.0 d0047e751f 
The Chrome manifest was already updated; the Firefox manifest still
showed lowercase 'relicario' as the extension name and was pinned at
0.1.0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs(spec): expand Phase 2B to polish foundation + form layout d6d07a19c1 
Bundles patina palette shift, logo update (translucent gradient gem),
glass-card vocabulary across login/setup/fullscreen, and the original
two-column form layout. Updates relicario-logo.svg and -16.svg to the
patina palette.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs(plan): Phase 2B polish foundation + form layout d038b24c6b 
13-task plan to land patina palette, polish vocabulary (.surface-backdrop,
.glass, .btn-primary/secondary, ▸ arrow glyph), restructured login popup,
setup wizard polish, two-column login form, sticky save bar, and dirty-
state header subtitle.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
style(ext/popup): add patina palette tokens 479e5848f5 
Replaces bright amber #d2ab43 with patina gold #a88a4a as the new base.
Keeps --accent as alias for backwards compatibility. Adds --bg-card
and --border-soft for upcoming glass card class.
style(ext/vault): add patina palette tokens 7370f119ee 
Mirrors popup/styles.css token block so the two surfaces share a
consistent color vocabulary.
style(ext): add .surface-backdrop class da61529de6 
Subtle radial top-glow + 18px grid texture. Used as the backdrop for
the login popup, setup wizard, and fullscreen vault shell.
style(ext): add .glass card class 91536ee50d 
Translucent fill, soft border, inner highlight, drop shadow. Used for
the unlock card, setup step cards, and form section panels.
style(ext): add .btn-primary and .btn-secondary classes 60d7c074c3 
Two-tier button hierarchy. .btn-primary uses patina gold fill; .btn-secondary
is a ghost button with muted border. Existing .btn class kept for
backwards compatibility.
feat(ext): add GLYPH_NEXT and replace ASCII arrows with ▸ 308ef2c974 
Replaces the ASCII rightwards arrow → with U+25B8 ▸ in settings-vault
buttons. Matches the existing ▾/▸ disclosure-glyph family.
feat(ext/popup): polish unlock view with logo lockup + glass card 7371eff0bb 
Restructures the unlock screen so the form sits in a glass card with
a primary 'unlock vault' button. Logo, brand, and tagline are grouped
as a lockup. Open-vault and settings are demoted to secondary buttons.
Body gets the .surface-backdrop wrapper.
feat(ext/setup): apply polish vocabulary to setup wizard 97e351fa61 
- Wraps setup content in .surface-backdrop
- Each wizard step gets a .glass card
- Mode-picker cards become glass cards
- 'next' / 'continue' buttons get the ▸ glyph
- Migrate from .btn .btn-primary to the new .btn-primary class
style(ext/vault): apply .surface-backdrop to fullscreen body 058a49f68b 
Subtle radial top-glow + grid texture behind the existing vault shell.
No layout changes — existing panes sit above the backdrop's ::before.
feat(ext/login): add surface flag for two-column fullscreen form a28b456191 
renderForm() takes an optional { surface: 'popup' | 'fullscreen' }
parameter. When 'fullscreen', the Identity and Credentials field
groups render as glass cards inside a .form-grid (two columns,
stacks at <=720px). Popup keeps its single-column layout.
feat(ext/vault): sticky save bar in fullscreen forms b270dfedb4 
The form pane gets a flex column layout: scrollable content above,
sticky save bar at bottom. Bar uses translucent fill with backdrop-blur
and a 24px gradient fade so content scrolls under it. Save / cancel
buttons reuse the form's existing handlers via externalActions flag.
feat(ext/vault): fullscreen form header with dirty-state subtitle f1c615c0ed 
Title left ('new login' / 'edit login'), subtitle below cycles between
'no changes' and 'unsaved · esc to cancel' on input events. Right side
shows the platform-aware save hint ('⌘+S to save' / 'Ctrl+S to save').
The actual ⌘+S keymap arrives in Phase 3 — this is a visual hint only.
Merge feature/phase-2b-polish: polish foundation + form layout 5da1e520e3
docs(spec): v0.5.0 polish + harden bundle 57237af39e 
Anchors on a HIGH-severity auth bypass in the relicario-server
pre-receive hook (revocation + registered-device checks both
unimplemented), bundles two hardening follow-ups, two confirmed
bugs, and four UX improvements. Splits into Plan A (Rust + docs)
and Plan B (extension UX) for independent merge cadence.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs(plan): v0.5.0 plans A/B and doc audit 3caa7af194 
Plan A (Rust + docs): S1 pre-receive hook fix, S2 tar
path-traversal hardening, S3 RELICARIO_* env-var audit, C1
stale branch cleanup. ~9 tasks, ~50 steps.

Plan B (extension UX): P4 error-copy centralization (subsumes
B2), B1 strength-meter regenerate fix, P1 password coloring
(inlined), P3 form-layout envelope, P2 setup → fullscreen tab.
~15 tasks, ~85 steps.

Doc audit: 14 findings, 6 fixed inline (README, ARCHITECTURE,
overview), 8 proposed for v0.5.0 release prep.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs: refresh README, ARCHITECTURE, overview for current state 900ccf1cf4 
Apply trivial-fix findings from the 2026-05-02 doc audit:
- README: items/ vs entries/, settings.enc + attachments/ +
  revoked.json in vault layout, full crate tree (relicario-wasm
  + relicario-server + typed-items modules), 16-char hex IDs,
  roadmap reflects shipped trains
- ARCHITECTURE.md: git-server box reflects items/ + 16-char IDs;
  relicario-core inner box lists typed-items modules
- architecture/overview.md: ID width / 128-bit AttachmentId

8 deeper findings still proposed for v0.5.0 release prep.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs: add v0.5.0 PM/Dev-A/Dev-B kickoff prompts c3d8778042 
Three-terminal coordination paradigm: a PM session reviews and
integrates while two senior-dev sessions work parallel feature
branches in their own worktrees, dispatching subagents per
task. Prompts encode roles, boundaries, status/directive/question
block formats for user-relayed cross-terminal coordination, and
pre-tag checklists.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
feat(ext/shared): centralize error-message copy in ERROR_COPY map 648dcf386e 
Replaces the popup's regex-chain humanizeError with a total lookup over
every error code returned by extension/src/service-worker/router/. A
generated test discovers codes via grep so the registry can't drift.
The popup keeps its small set of regex translators for Rust/serde error
phrasing that doesn't go through the router's error vocabulary.

Subsumes B2 — fullscreen consumer lands in the next commit.
test(ext/shared): pin fallback title assertion in error-copy test 214e1e49f8
fix(ext/vault): friendly error block in fullscreen tab (closes B2) 1c641b4911 
Replaces raw escapeHtml(state.error) renders with lookupErrorCopy()-driven
title/body/CTA blocks. vault_locked specifically gets an 'Unlock vault'
CTA that refocuses the passphrase input. Other CTAs route to setup.html
or chrome.runtime.reload().

Closes B2; concludes P4.
refactor(ext/vault): event delegation for error-cta + CSS variable consistency 575343dc19
fix(ext/login): dispatch input event after regenerate sets password (B1) 2df636e454 
Programmatic input.value = newPassword does not fire input events, so
the strength-meter listener at shared/form-affordances/password-tools.ts:65
never re-rates the new value — meter stays stuck on the prior reading.

Extract applyGeneratedPassword(input, value) helper that sets value, type,
then dispatches new InputEvent('input', { bubbles: true }). Vitest covers
the dispatch + a sanity check that bubbling listeners fire.
feat(ext/shared): color-scheme storage + applyColorScheme 25c9eb52a0 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(ext/shared): add colorizePassword utility 1de7cda1b0 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
style(ext): add password-coloring CSS rules + custom property defaults 518b41e9cd
feat(ext/popup/field-history): colorize revealed password entries 3e4312ca6f 
Import colorizePassword and post-process .revealed value cells after
innerHTML render, replacing escaped-HTML text with colored spans via
the valueStore plaintext lookup.
feat(ext/generator): colorize live password preview f45c275566
feat(ext/popup/item-detail): colorize revealed password field 6bca0b3526 
Add data-field-kind attribute to renderConcealedRow so wireFieldHandlers
can distinguish password fields from other concealed rows (TOTP secrets,
CVV, PIN, private keys). Apply colorizePassword() on reveal when kind is
"password"; plain textContent otherwise. Pass kind through renderSections
for custom-section password fields.
feat(ext): apply color scheme on popup + vault startup b928ed407b 
Import applyColorScheme in popup.ts and vault.ts, await it at boot,
and register a chrome.storage.onChanged listener so live color-picker
changes take effect without a reload.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(ext/settings): Display section with color pickers + swatch + reset b2fc56709a 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(ext/login): constrain lower form sections to .form-grid envelope (P3) 631e9af470 
Notes, custom-fields disclosure, attachments disclosure, and form-actions
in fullscreen logins now sit inside a .form-lower wrapper with the same
max-width: 960px; margin: 0 auto envelope as .form-grid above. Removes
the visual rhythm break at the 2-col -> full-width transition.

Popup keeps its current single-column behavior (gated on surface flag).
feat(ext/setup): hand off completion to fullscreen vault tab (P2) 4e9d834920 
After successful device registration (state.configPushed = true), the
wizard now opens vault.html in a new tab and closes the setup tab.
Both create-new and attach-existing flows funnel through the same
finishSetup() handler. Closing the setup tab is best-effort --
chrome.tabs.remove failures don't block the vault open.

Add src/__stubs__/relicario_wasm.stub.ts + vitest.config alias so
setup.ts can be imported in unit tests without the runtime WASM file.
Exclude the stubs dir from the webpack/tsc build in tsconfig.json.
alee closed this pull request 2026-05-03 21:06:48 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
alee
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alee/relicario#1
Delete Branch "feature/v0.5.0-plan-b-extension-ux"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?