sgard

sc/sgard

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	3b961b5d8a	Step 17: Encryption core — passphrase-only, selective per-file. Manifest schema: Entry gains Encrypted, PlaintextHash fields. Manifest gains Encryption section with KekSlots map (passphrase slot with Argon2id params, salt, and wrapped DEK as base64). garden/encrypt.go: EncryptInit (generate DEK, wrap with passphrase KEK), UnlockDEK (derive KEK, unwrap), encryptBlob/decryptBlob using XChaCha20-Poly1305 with random 24-byte nonces. Modified operations: - Add: optional encrypt flag, stores encrypted blob + plaintext_hash - Checkpoint: detects changes via plaintext_hash, re-encrypts - Restore: decrypts encrypted blobs before writing - Diff: decrypts stored blob before comparing - Status: compares against plaintext_hash for encrypted entries 10 tests covering init, persistence, unlock, add-encrypted, restore round-trip, checkpoint, status, diff, requires-DEK guard. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 08:50:53 -07:00
Kyle Isom	d1a6e533a4	Step 8: Polish — lint, clock abstraction, e2e test. - golangci-lint config with errcheck, govet, staticcheck, errorlint - Fix all lint issues (unchecked error returns in cleanup paths, De Morgan) - Inject jonboulle/clockwork into Garden for deterministic timestamps - Add manifest.NewWithTime() for clock-aware initialization - E2e lifecycle test: init → add → checkpoint → modify → status → restore → verify - Update CLAUDE.md, PROJECT_PLAN.md, PROGRESS.md Phase 1 (local) is now complete. All 9 CLI commands implemented and tested. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 22:03:53 -07:00
Kyle Isom	7a3d78d741	Step 2: Add manifest package with YAML data model and persistence. Implements Manifest and Entry structs with YAML tags, New() constructor, Load(path) for reading, and Save(path) with atomic write (temp file + rename). Tests cover round-trip serialization, atomic save cleanup, entry type invariants, nonexistent file error, and empty manifest. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 21:24:56 -07:00

Author

SHA1

Message

Date

Kyle Isom

3b961b5d8a

Step 17: Encryption core — passphrase-only, selective per-file.

Manifest schema: Entry gains Encrypted, PlaintextHash fields.
Manifest gains Encryption section with KekSlots map (passphrase slot
with Argon2id params, salt, and wrapped DEK as base64).

garden/encrypt.go: EncryptInit (generate DEK, wrap with passphrase KEK),
UnlockDEK (derive KEK, unwrap), encryptBlob/decryptBlob using
XChaCha20-Poly1305 with random 24-byte nonces.

Modified operations:
- Add: optional encrypt flag, stores encrypted blob + plaintext_hash
- Checkpoint: detects changes via plaintext_hash, re-encrypts
- Restore: decrypts encrypted blobs before writing
- Diff: decrypts stored blob before comparing
- Status: compares against plaintext_hash for encrypted entries

10 tests covering init, persistence, unlock, add-encrypted, restore
round-trip, checkpoint, status, diff, requires-DEK guard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-24 08:50:53 -07:00

Kyle Isom

d1a6e533a4

Step 8: Polish — lint, clock abstraction, e2e test.

- golangci-lint config with errcheck, govet, staticcheck, errorlint
- Fix all lint issues (unchecked error returns in cleanup paths, De Morgan)
- Inject jonboulle/clockwork into Garden for deterministic timestamps
- Add manifest.NewWithTime() for clock-aware initialization
- E2e lifecycle test: init → add → checkpoint → modify → status → restore → verify
- Update CLAUDE.md, PROJECT_PLAN.md, PROGRESS.md

Phase 1 (local) is now complete. All 9 CLI commands implemented and tested.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-23 22:03:53 -07:00

Kyle Isom

7a3d78d741

Step 2: Add manifest package with YAML data model and persistence.

Implements Manifest and Entry structs with YAML tags, New() constructor,
Load(path) for reading, and Save(path) with atomic write (temp file +
rename). Tests cover round-trip serialization, atomic save cleanup,
entry type invariants, nonexistent file error, and empty manifest.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-23 21:24:56 -07:00

3 Commits