chore: bump to 0.7.1, workflow/readme/init/upgrade updates, fix clippy needless_borrows

Made-with: Cursor

src/commands/init.rs

@@ -4,15 +4,23 @@ use sqlx::PgPool;
 
 use crate::{crypto, db};
 
+const MIN_MASTER_PASSWORD_LEN: usize = 8;
+
 pub async fn run(pool: &PgPool) -> Result<()> {
     println!("Initializing secrets master key...");
     println!();
 
     // Read password (no echo)
-    let password =
-        rpassword::prompt_password("Enter master password: ").context("failed to read password")?;
-    if password.is_empty() {
-        anyhow::bail!("Master password must not be empty.");
+    let password = rpassword::prompt_password(format!(
+        "Enter master password (at least {} characters): ",
+        MIN_MASTER_PASSWORD_LEN
+    ))
+    .context("failed to read password")?;
+    if password.chars().count() < MIN_MASTER_PASSWORD_LEN {
+        anyhow::bail!(
+            "Master password must be at least {} characters.",
+            MIN_MASTER_PASSWORD_LEN
+        );
     }
     let confirm = rpassword::prompt_password("Confirm master password: ")
         .context("failed to read password confirmation")?;

src/commands/upgrade.rs

@@ -3,6 +3,7 @@ use flate2::read::GzDecoder;
 use serde::Deserialize;
 use sha2::{Digest, Sha256};
 use std::io::{Cursor, Read, Write};
+use std::time::Duration;
 
 const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
 
@@ -28,16 +29,17 @@ fn available_assets(assets: &[Asset]) -> String {
         .join(", ")
 }
 
-fn find_asset_by_suffix<'a>(assets: &'a [Asset], suffix: &str) -> Result<&'a Asset> {
-    assets
-        .iter()
-        .find(|a| a.name.ends_with(suffix))
-        .with_context(|| {
-            format!(
-                "no asset found for this platform (looking for suffix: {suffix})\navailable: {}",
-                available_assets(assets)
-            )
-        })
+fn release_asset_name(tag_name: &str, suffix: &str) -> String {
+    format!("secrets-{tag_name}-{suffix}")
+}
+
+fn find_asset_by_name<'a>(assets: &'a [Asset], name: &str) -> Result<&'a Asset> {
+    assets.iter().find(|a| a.name == name).with_context(|| {
+        format!(
+            "no matching release asset found: {name}\navailable: {}",
+            available_assets(assets)
+        )
+    })
 }
 
 /// Detect the asset suffix for the current platform/arch at compile time.
@@ -89,6 +91,22 @@ fn sha256_hex(bytes: &[u8]) -> String {
     format!("{digest:x}")
 }
 
+fn verify_checksum(asset_name: &str, archive: &[u8], checksum_contents: &str) -> Result<String> {
+    let expected_checksum = parse_checksum_file(checksum_contents)?;
+    let actual_checksum = sha256_hex(archive);
+
+    if actual_checksum != expected_checksum {
+        bail!(
+            "checksum verification failed for {}: expected {}, got {}",
+            asset_name,
+            expected_checksum,
+            actual_checksum
+        );
+    }
+
+    Ok(actual_checksum)
+}
+
 fn parse_checksum_file(contents: &str) -> Result<String> {
     let checksum = contents
         .split_whitespace()
@@ -163,6 +181,8 @@ pub async fn run(check_only: bool) -> Result<()> {
 
     let client = reqwest::Client::builder()
         .user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
+        .connect_timeout(Duration::from_secs(10))
+        .timeout(Duration::from_secs(120))
         .build()
         .context("failed to build HTTP client")?;
 
@@ -192,18 +212,10 @@ pub async fn run(check_only: bool) -> Result<()> {
     }
 
     let suffix = platform_asset_suffix()?;
-    let asset = find_asset_by_suffix(&release.assets, suffix)?;
+    let asset_name = release_asset_name(&release.tag_name, suffix);
+    let asset = find_asset_by_name(&release.assets, &asset_name)?;
     let checksum_name = format!("{}.sha256", asset.name);
-    let checksum_asset = release
-        .assets
-        .iter()
-        .find(|a| a.name == checksum_name)
-        .with_context(|| {
-            format!(
-                "missing checksum asset for download: {checksum_name}\navailable: {}",
-                available_assets(&release.assets)
-            )
-        })?;
+    let checksum_asset = find_asset_by_name(&release.assets, &checksum_name)?;
 
     println!("Downloading {}...", asset.name);
 
@@ -214,19 +226,11 @@ pub async fn run(check_only: bool) -> Result<()> {
         "checksum download",
     )
     .await?;
-    let expected_checksum = parse_checksum_file(
+    let actual_checksum = verify_checksum(
+        &asset.name,
+        &archive,
         std::str::from_utf8(&checksum_contents).context("checksum file is not valid UTF-8")?,
     )?;
-    let actual_checksum = sha256_hex(&archive);
-
-    if actual_checksum != expected_checksum {
-        bail!(
-            "checksum verification failed for {}: expected {}, got {}",
-            asset.name,
-            expected_checksum,
-            actual_checksum
-        );
-    }
 
     println!("Verified SHA-256: {actual_checksum}");
 
@@ -298,6 +302,33 @@ mod tests {
         assert!(err.to_string().contains("invalid SHA-256 checksum format"));
     }
 
+    #[test]
+    fn release_asset_name_matches_release_tag() {
+        assert_eq!(
+            release_asset_name("secrets-0.7.0", "x86_64-linux-musl.tar.gz"),
+            "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz"
+        );
+    }
+
+    #[test]
+    fn find_asset_by_name_rejects_stale_platform_match() {
+        let assets = vec![
+            Asset {
+                name: "secrets-secrets-0.6.9-x86_64-linux-musl.tar.gz".into(),
+                browser_download_url: "https://example.invalid/old".into(),
+            },
+            Asset {
+                name: "secrets-secrets-0.7.0-aarch64-macos.tar.gz".into(),
+                browser_download_url: "https://example.invalid/other".into(),
+            },
+        ];
+
+        let err = find_asset_by_name(&assets, "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz")
+            .expect_err("stale asset should not match");
+
+        assert!(err.to_string().contains("no matching release asset found"));
+    }
+
     #[test]
     fn sha256_hex_matches_known_value() {
         assert_eq!(
@@ -306,6 +337,18 @@ mod tests {
         );
     }
 
+    #[test]
+    fn verify_checksum_rejects_mismatch() {
+        let err = verify_checksum(
+            "secrets.tar.gz",
+            b"abc",
+            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef  secrets.tar.gz",
+        )
+        .expect_err("checksum mismatch should fail");
+
+        assert!(err.to_string().contains("checksum verification failed"));
+    }
+
     #[test]
     fn extract_from_targz_reads_binary() {
         let payload = b"fake-secrets-binary";