Skip to content

add per-secret recipient groups#226

Merged
iicky merged 1 commit into
mainfrom
feat/recipient-groups
Jun 17, 2026
Merged

add per-secret recipient groups#226
iicky merged 1 commit into
mainfrom
feat/recipient-groups

Conversation

@iicky

@iicky iicky commented Jun 16, 2026

Copy link
Copy Markdown
Owner
  • add `group` command to create, list, and manage named recipient groups
  • add `--group NAME` to add/generate/rotate/import/edit to scope a secret to a group
  • treat `everyone` and `me` as reserved tiers; deprecate `--scoped` in favor of `--group me`
  • encrypt grouped secret values to group members only, alongside shared and scoped tiers
  • store grouped ciphertext and group membership in the vault and cover it in the integrity MAC
  • handle grouped values in export, merge, and the Python/Node bindings
  • document recipient groups in SPEC.md and THREAT_MODEL.md
  • add CLI tests for group lifecycle and grouped secret access

@iicky
add per-secret recipient groups
56460d0 
- add grouped field to SecretEntry and groups map to Meta
- add MAC v6 (blake3v4) covering grouped ciphertexts and group membership; gate on first group so group-free vaults stay byte-identical; reject grouped data under pre-v6 MACs
- add src/groups.rs: create/delete/add_member/remove_member/resolve_member, reserved names everyone/me
- add murk group create/ls/add/rm and --group on add/generate/import/edit and circle authorize
- route --group everyone/me to shared/scoped; keep --scoped as deprecated alias for --group me
- enforce one base tier per key: setting shared clears grouped, setting a group clears shared
- preserve on-disk secrets a non-member can't decrypt across save so they aren't dropped
- resolve grouped values in get_secret/resolve_secrets so bindings read them; strip revoked members from groups
- merge grouped like scoped, union group membership in regenerate_meta
- update SPEC.md and THREAT_MODEL.md
@codecov

codecov Bot commented Jun 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 79.15888% with 223 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.34%. Comparing base (5a9eb86) to head (56460d0).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/main.rs 62.62% 141 Missing and 7 partials ⚠️
src/lib.rs 90.05% 18 Missing and 19 partials ⚠️
src/merge.rs 65.78% 10 Missing and 3 partials ⚠️
src/groups.rs 94.21% 9 Missing and 2 partials ⚠️
src/recipients.rs 64.70% 3 Missing and 3 partials ⚠️
src/export.rs 60.00% 3 Missing and 1 partial ⚠️
src/secrets.rs 90.00% 3 Missing and 1 partial ⚠️

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@iicky iicky merged commit d2919a4 into main Jun 17, 2026
37 checks passed
@iicky iicky deleted the feat/recipient-groups branch June 17, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iicky