Step 18: FIDO2 support with interface and mock.
FIDO2Device interface abstracts hardware interaction (Register, Derive, Available, MatchesCredential). Real libfido2 implementation deferred; mock device used for full test coverage. AddFIDO2Slot: registers FIDO2 credential, derives KEK via HMAC-secret, wraps DEK, adds fido2/<label> slot to manifest. UnlockDEK: tries all fido2/* slots first (checks credential_id against connected device), falls back to passphrase. User never specifies which method. 6 tests: add slot, reject duplicate, unlock via FIDO2, fallback to passphrase when device unavailable, slot persistence, encrypted round-trip unlocked via FIDO2. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,7 +7,7 @@ ARCHITECTURE.md for design details.
|
||||
|
||||
## Current Status
|
||||
|
||||
**Phase:** Phase 3 in progress. Step 17 complete, ready for Step 18.
|
||||
**Phase:** Phase 3 in progress. Steps 17–18 complete, ready for Step 19.
|
||||
|
||||
**Last updated:** 2026-03-24
|
||||
|
||||
@@ -42,7 +42,7 @@ ARCHITECTURE.md for design details.
|
||||
|
||||
## Up Next
|
||||
|
||||
Step 18: FIDO2 support.
|
||||
Step 19: Encryption CLI + Slot Management.
|
||||
|
||||
## Known Issues / Decisions Deferred
|
||||
|
||||
@@ -79,3 +79,4 @@ Step 18: FIDO2 support.
|
||||
| 2026-03-24 | — | JWT token auth implemented (transparent auto-renewal, XDG token cache, ReauthChallenge fast path). |
|
||||
| 2026-03-24 | — | Phase 3 encryption design: selective per-file encryption, KEK slots (passphrase + fido2/label), manifest-embedded config. |
|
||||
| 2026-03-24 | 17 | Encryption core: Argon2id KEK, XChaCha20 DEK wrap/unwrap, selective per-file encrypt in Add/Checkpoint/Restore/Diff/Status. 10 tests. |
|
||||
| 2026-03-24 | 18 | FIDO2: FIDO2Device interface, AddFIDO2Slot, unlock resolution (fido2 first → passphrase fallback), mock device, 6 tests. |
|
||||
|
||||
Reference in New Issue
Block a user