alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity
Files
16888d5a3aa9623f1ee41aba291d656e6b233c6f
relicario/docs/test-checklists/2026-04-27-pre-v0.3.0-audit.md
adlee-was-taken 17ff79d5f6 docs: plan 3A spec + pre-v0.3.0 audit checklist 
Plan 3A: backup & restore — drives the feature branch landing in
the next commit (merge of feature/backup-restore).

Pre-v0.3.0 audit checklist: manual smoke-test list for the v0.2.x
audit-pass commits (TOTP edit, history, detach, status, generator
defaults, vault-tab parity, sync button) — to walk through before
the v0.3.0 tag.
2026-04-29 20:29:09 -04:00

125 lines
5.4 KiB
Markdown
Raw Blame History

# Pre-v0.3.0 manual test checklist
Date: 2026-04-27
Scope: every change in `CHANGELOG.md`'s `Unreleased` section since `v0.2.0` (commits `a7dbf35`, `f79a67b`, `3f0f5b1`, `b951741`, `c66fd52`).
Purpose: smoke-walk the audit pass before drawing the line and tagging
v0.3.0. Treat as a logic-spot-check, not a regression suite — the
automated tests (`cargo test`, the extension's vitest suite) cover
everything covered by tests already; this list is the things that need
human eyeballs.
## CLI — new commands (commit `3f0f5b1`)
- [ ] `relicario status` inside an active vault — shows root path, item
counts (active / trashed), attachment count + total bytes, device
count, `git log -1` last-commit line.
- [ ] `relicario status` with at least one trashed item — trashed count
is non-zero; active count excludes it.
- [ ] `relicario history <query>` — masked by default (passwords show as
`••••`).
- [ ] `relicario history <query> --show` — values revealed in the clear.
- [ ] `relicario history <query> --field login_password` — filter works.
Also try the raw form (`--field core:login_password`) — both
should match.
- [ ] `relicario history <query>` on an item with no captured history —
prints "no history captured".
- [ ] `relicario detach <query> <aid>` — removes the attachment ref,
deletes the encrypted blob on disk, commits `detach: …`.
- [ ] `relicario detach <doc-item> <primary-aid>` — refuses with "use
`purge` instead".
- [ ] `relicario edit <totp-item>` — rotate issuer, label, then secret;
verify a `core:totp_secret` history entry is captured (visible via
`relicario history`).
- [ ] `relicario settings generator-defaults` (no flags) — prints
current defaults.
- [ ] `relicario settings generator-defaults --random --length 32`
flips mode + length, persists across runs.
- [ ] `relicario settings generator-defaults --bip39 --words 7
--separator -` — mode flip persists.
- [ ] `relicario generate` inside vault — uses the stored defaults.
- [ ] `relicario generate --length 8` inside vault — explicit flag
overrides the stored default.
- [ ] `relicario generate` outside any vault — still works at hardcoded
defaults (length 20, BIP39 5 words). No unlock prompt.
## Extension — popup (commit `a7dbf35`)
- [ ] Settings view → "Sync now" — refresh succeeds with "synced ✓";
force a sync with a bad token to confirm the error string
surfaces.
- [ ] Item-list toolbar sync button — same coverage.
- [ ] Devices view on a fresh install whose `device_name` isn't on the
remote — banner appears.
- [ ] Click "Register this device" → enter a name → confirm → device
appears in the list, banner disappears.
- [ ] Verify keypair persists across SW restart (re-open popup; banner
should NOT return).
## Extension — vault tab parity (commit `a7dbf35`)
- [ ] Open `vault.html` (Ctrl+Shift+L or popup pop-out). All views
render: list, detail, add, edit, settings, settings-vault, trash,
devices, field-history.
- [ ] `register_this_device` works from the vault tab the same way as
the popup.
- [ ] Inactivity timer still fires when only the vault tab is open (no
popup activity).
- [ ] Wrong-extension sender check — install a second extension, send
a message; should be rejected. (Covered by `router.test.ts:373-384`
but worth one manual sanity run if time permits.)
## Setup wizard (commit `f79a67b` — pure-helper extraction)
- [ ] First-run new-vault path: zxcvbn meter still updates within ~150
ms of typing; strength label changes through the five tiers as
the passphrase strengthens.
- [ ] First-run attach path: passphrase / image rejection produces the
exact "Could not decrypt vault — wrong passphrase or reference
image." string (no oracle leak).
- [ ] Step 5 device registration completes without manual fallback when
the extension is reachable.
## Refactor — cmd_add / cmd_edit per-type helpers (commit `3f0f5b1`)
For each `ItemCore` variant: spin up the form, save, re-open, edit,
save, verify the on-disk item stays valid. Drives both `build_*_item`
and `edit_*`.
- [ ] Login (with embedded TOTP sub-config)
- [ ] SecureNote
- [ ] Identity
- [ ] Card
- [ ] Key
- [ ] Document (add via `attach`; `edit` should print the "use `attach`
/ `extract`" message)
- [ ] Standalone Totp
## Build / test gates
- [ ] `cargo test` — all green.
- [ ] `cargo test -p relicario-cli --test basic_flows` (and the other
named integration tests) — green individually.
- [ ] `cargo build -p relicario-wasm --target wasm32-unknown-unknown` —
succeeds.
- [ ] Extension Chrome build (`webpack`) — produces a loadable
extension.
- [ ] Extension Firefox build (`webpack.firefox.config.js`) — produces
a loadable extension.
- [ ] Load in Chrome, load in Firefox, smoke-unlock an existing vault.
## Architecture-docs sanity (commit `c66fd52`)
- [ ] Spot-check three line-number citations from each ARCHITECTURE.md
against live code (drift is the silent killer — line-numbered
docs rot fastest). Suggested:
- `service-worker/index.ts:20` (lazy WASM init)
- `crypto.rs:59` (`VERSION_BYTE = 0x02`)
- `helpers.rs:48-52` (hardened-`git` `-c` flags)
## Sign-off
When every box above is checked, the audit pass is good to tag as
v0.3.0. Anything that fails goes back into `Unreleased` as a fix
commit before the tag.
Reference in New Issue View Git Blame Copy Permalink