fix(colibri-vault): harden bw interaction — server-match fail-closed + serialize + note-key validation #100

Merged

clawdie merged 1 commit from fix/colibri-vault-bw-hardening into main 2026-06-20 09:00:53 +02:00

Conversation 0 Commits 1 Files changed 2 +81 -6

clawdie commented 2026-06-20 08:30:30 +02:00

Owner

Copy link

What

Hardens the colibri-vault crate's bw interaction (the autonomous daemon provisioning path), bringing it to parity with — and slightly ahead of — the clawdie-vault-fetch shell helper (#69). Found during review of #69/#94.

Changes

1. BW_SERVER server-match, fail-closed. Previously bw config server was ?-propagated, so it hard-failed on the 2nd+ provision (bw stays authenticated between calls → "logout required"). Now it tolerates that refusal only if the already-configured server matches the expected endpoint; otherwise fails closed with a new VaultError::ServerMismatch. This both fixes repeat provisioning and stops a stale login from fetching against the wrong Bitwarden host — the same guard #69 added to the shell helper, which the daemon path lacked.
2. Serialize provisions (closes #95). bw keeps process-global state (one configured server + session per process). Concurrent jailed spawns → concurrent provision() → could tear down each other's session mid-fetch. Wrapped the whole login→unlock→fetch→lock lifecycle in a process-wide tokio::sync::Mutex.
3. Validate secure-note keys. Login items already ran validate_key; the secure-note path wrote raw KEY=VALUE. Now note keys are validated identically (no unchecked .env injection from a note).

Tests

• cargo build -p colibri-vault ✅, cargo test -p colibri-vault ✅ (7 pass, incl. new server_config_locked_detection_matches_bw_cli_text and vault_lock_serializes), cargo fmt --check clean.
• Built/tested on Linux (domedog) — the crate is OS-clean.

Related

• Mirrors #69 (shell helper) into the Rust crate.
• Closes #95.
• Orthogonal to #92 (path canonicalization, daemon.rs side) and #98/#70 (pkg naming).

🤖 Generated with Claude Code

## What Hardens the `colibri-vault` crate's `bw` interaction (the autonomous daemon provisioning path), bringing it to parity with — and slightly ahead of — the `clawdie-vault-fetch` shell helper (#69). Found during review of #69/#94. ## Changes 1. **`BW_SERVER` server-match, fail-closed.** Previously `bw config server` was `?`-propagated, so it hard-failed on the **2nd+ provision** (bw stays authenticated between calls → "logout required"). Now it tolerates that refusal **only if** the already-configured server matches the expected endpoint; otherwise fails closed with a new `VaultError::ServerMismatch`. This both fixes repeat provisioning *and* stops a stale login from fetching against the wrong Bitwarden host — the same guard #69 added to the shell helper, which the daemon path lacked. 2. **Serialize provisions (closes #95).** `bw` keeps process-global state (one configured server + session per process). Concurrent jailed spawns → concurrent `provision()` → could tear down each other's session mid-fetch. Wrapped the whole `login→unlock→fetch→lock` lifecycle in a process-wide `tokio::sync::Mutex`. 3. **Validate secure-note keys.** Login items already ran `validate_key`; the secure-note path wrote raw `KEY=VALUE`. Now note keys are validated identically (no unchecked `.env` injection from a note). ## Tests - `cargo build -p colibri-vault` ✅, `cargo test -p colibri-vault` ✅ (7 pass, incl. new `server_config_locked_detection_matches_bw_cli_text` and `vault_lock_serializes`), `cargo fmt --check` clean. - Built/tested on Linux (domedog) — the crate is OS-clean. ## Related - Mirrors #69 (shell helper) into the Rust crate. - Closes #95. - Orthogonal to #92 (path canonicalization, daemon.rs side) and #98/#70 (pkg naming). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

clawdie added 1 commit 2026-06-20 08:30:32 +02:00

fix(colibri-vault): harden bw interaction — server-match fail-closed + serialize + validate note keys ... 37b00525ca

Bring the daemon's provisioning path to parity with (and ahead of) the
clawdie-vault-fetch shell helper (#69):

- BW_SERVER: tolerate 'logout required/already configured' ONLY when the
  already-configured server matches the expected endpoint; else fail closed
  (new VaultError::ServerMismatch). Fixes repeat-provision failure AND prevents
  a stale login fetching from the wrong Bitwarden host.
- Serialize the whole login→unlock→fetch→lock via a process-wide async Mutex —
  bw keeps process-global state, so concurrent provisions could race (closes #95).
- Validate secure-note KEYs with validate_key too (login items were already
  validated; notes wrote raw KEY=VALUE).

Tests: cargo build/test -p colibri-vault (7 pass), cargo fmt --check clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

clawdie referenced this pull request 2026-06-20 08:38:09 +02:00

docs(vault): first-proof runbook for the spawn->provision chain #103

clawdie merged commit 1bb9595def into main 2026-06-20 09:00:52 +02:00

clawdie referenced this pull request from a commit 2026-06-20 09:00:55 +02:00

Merge pull request 'fix(colibri-vault): harden bw interaction — server-match fail-closed + serialize + note-key validation' (#100) from fix/colibri-vault-bw-hardening into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

first-proof blocker

gates the first proven end-to-end

  

hardening

security/robustness follow-up, not a first-proof gate

No labels

first-proof blocker

hardening

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#100

No description provided.