466 lines
18 KiB
Markdown
466 lines
18 KiB
Markdown
# TODO
|
|
|
|
## Parallel Work Segments
|
|
|
|
These segments are intended to be independently executable wherever possible.
|
|
Each segment has its own local exit criteria.
|
|
The product is not complete until the global exit criteria at the end of this file are also met.
|
|
|
|
## Priority Bugs
|
|
|
|
- Vault root view bug:
|
|
introduce explicit `Vault`, `VaultRoot`, and `VaultRecycleBin` view factories
|
|
in `internal/vaultview` and move hidden-root behavior out of UI heuristics.
|
|
- Vault root view bug:
|
|
update `internal/appstate` and entries/recycle-bin UI plumbing to use
|
|
`VaultRoot` and `VaultRecycleBin` instead of raw datastore paths.
|
|
- Vault root view bug:
|
|
update gRPC/API-facing datastore reads and writes to use logical `VaultRoot`
|
|
paths while keeping authorization on canonical `Vault` paths.
|
|
- Vault root view bug:
|
|
add API-token path translation helpers so token editing, approval prompts, and
|
|
audit/resource display stop leaking the physical `keepass` root.
|
|
- Vault root view bug:
|
|
ensure vault create/open maintains the physical `keepass` storage root,
|
|
lazily creates recycle-bin structure when needed, and warns when opening a
|
|
legacy vault that had to be normalized.
|
|
|
|
## UI Review Follow-Ups
|
|
|
|
These items came from a hands-on emulator and desktop walkthrough.
|
|
They should be treated as usability work, not just polish.
|
|
|
|
### Cross-Platform Workflow Parity
|
|
|
|
These items are required to keep desktop, Android phone, and Android tablet
|
|
feeling like the same application rather than three related UIs.
|
|
|
|
- Workflow parity:
|
|
define canonical workflows for open, unlock, set up remote sync, use remote
|
|
sync, browse entries, and edit entries.
|
|
- Workflow parity:
|
|
ensure desktop, phone, and tablet use the same action names and the same
|
|
primary next steps for those workflows.
|
|
- Workflow parity:
|
|
remove or reduce platform-specific workflow exceptions where the same user
|
|
intent currently takes a different route on different form factors.
|
|
- Testing:
|
|
add cross-mode behavior tests that assert workflow order and action
|
|
prominence, not just label presence.
|
|
- Testing:
|
|
add explicit lifecycle/open-screen tests for reachability of the primary
|
|
action on desktop, phone, and tablet layouts.
|
|
- Testing:
|
|
add explicit remote-sync workflow tests that prove setup, settings, use, and
|
|
removal are reachable from the same primary affordance family across modes.
|
|
- Android verification:
|
|
validate changed lifecycle/open/sync workflows on the emulator or a device,
|
|
including with the on-screen keyboard visible.
|
|
- Android verification:
|
|
treat “present but below the fold or behind an unexpected branch” as a parity
|
|
failure, not as acceptable platform variation.
|
|
|
|
### Primary Workflow Changes
|
|
|
|
These should remain in the main user flow rather than being hidden behind a settings gear.
|
|
|
|
- Browser extension:
|
|
- Local open flow:
|
|
make the start screen primarily about opening a vault, not configuring one.
|
|
- Local open flow:
|
|
keep recent vault selection visually obvious and clearly tappable.
|
|
- Local open flow:
|
|
once a recent vault is preselected, collapse the full path into a compact summary with a `Change...` affordance.
|
|
- Local open flow:
|
|
improve Android field focus and IME behavior so the master-password field reliably takes focus and summons the keyboard.
|
|
- Local open flow:
|
|
show an explicit progress state and allow cancel or retry while opening a vault, especially on Android.
|
|
- Remote open flow:
|
|
break the remote form into clearer sections such as `Location` and `Authentication`.
|
|
- Remote open flow:
|
|
make recent remote connections easier to scan with a friendlier label than raw URL and path.
|
|
- Locked screen:
|
|
show clear vault identity and target summary so the user knows what is being unlocked.
|
|
- Entries screen:
|
|
tighten the top strip on phone so tabs, breadcrumbs, and group controls do not fight for the same row.
|
|
- Entries screen:
|
|
make breadcrumbs compress more aggressively on phone.
|
|
- Entries screen:
|
|
improve entry-row hierarchy and selected-state contrast.
|
|
- Entries screen:
|
|
provide section-specific empty states for search, recycle bin, API tokens, and empty groups.
|
|
- Group navigation:
|
|
make the distinction between root, current group, and child groups more obvious.
|
|
- Group navigation:
|
|
separate navigation controls from group-management controls more clearly.
|
|
- Entry detail:
|
|
tighten field spacing and reduce unnecessary whitespace.
|
|
- Entry detail:
|
|
group password reveal and copy actions more clearly.
|
|
- Entry detail:
|
|
make attachments more visible and actionable.
|
|
- Entry edit:
|
|
break the editor into clearer subsections such as `Basics`, `Notes`, `Custom Fields`, `History`, and `Attachments`.
|
|
- Entry edit:
|
|
make add/remove affordances for custom fields more visually obvious.
|
|
- Entry edit:
|
|
make generated-password draft state more explicit before save.
|
|
- Recycle bin:
|
|
make it visually distinct from normal entry browsing.
|
|
- API tokens:
|
|
give token list, token detail, and policy editing a clearer dedicated management surface.
|
|
- API tokens:
|
|
make policy rows easier to scan by separating effect, operation, and resource visually.
|
|
- API audit:
|
|
improve empty-state guidance and provide quick filtering by token, decision, and operation.
|
|
- Synchronize:
|
|
keep the split-button pattern, but reduce the visual weight of the sync controls and make advanced sync affordances clearer.
|
|
- Synchronize:
|
|
avoid layout-shifting success banners and keep noncritical notifications ephemeral.
|
|
- Synchronize:
|
|
define exact local-versus-remote merge semantics for cases where both sides changed, and make the user-facing action names describe the real behavior instead of ambiguous `push`/`pull` labels if those actions perform two-way reconciliation.
|
|
- Synchronize:
|
|
choose sync wording and defaults that maximize user comprehension and safety, especially around merge, overwrite, conflict, and retry behavior.
|
|
- Phone layout:
|
|
continue reducing header and control density so content appears sooner.
|
|
- Mobile reliability:
|
|
fix Android local-open ANR behavior before deeper mobile polish.
|
|
- Autofill UX:
|
|
surface whether a fill candidate was found, ambiguous, blocked, or awaiting approval.
|
|
|
|
### Settings Gear Candidates
|
|
|
|
These are important, but they should likely move behind a dedicated settings gear or advanced/settings surface instead of occupying first-run or day-to-day credential screens.
|
|
|
|
- Vault security:
|
|
move `Cipher` and `KDF` off the main local-open screen and into `Advanced` or `Vault Settings`.
|
|
- Vault security:
|
|
frame security settings as vault configuration rather than freeform text fields in the primary workflow.
|
|
- Remote preferences:
|
|
move remembered-auth behavior details and retention policy explanations into settings/help rather than the main open flow.
|
|
- UI preferences:
|
|
save and expose view preferences such as group-tools collapse state and any future dense/comfortable layout toggle under settings.
|
|
- Autofill behavior:
|
|
app and browser allowlists, package rules, and first-fill approval preferences should live under a settings/privacy area.
|
|
- Sync defaults:
|
|
source/direction defaults, conflict preferences, and any future background sync behavior should live under settings.
|
|
- Notification preferences:
|
|
banner timeout, ephemeral notices, and other noncritical UI feedback tuning should live under settings.
|
|
- Accessibility preferences:
|
|
future display-density, contrast, reduced-motion, or keyboard-focus tuning should live under settings.
|
|
|
|
### Exit Criteria
|
|
|
|
- The main workflow screens prioritize opening, browsing, copying, editing, and synchronizing credentials.
|
|
- Advanced vault/security and behavior preferences are no longer cluttering the primary open and browsing flows.
|
|
- Phone and desktop layouts both present a clear information hierarchy.
|
|
- The Android open flow is reliable enough to review and use without ANR during ordinary vault-open operations.
|
|
|
|
### Segment 1: Application State Ownership
|
|
|
|
Scope:
|
|
- Keep the controller as the single source of truth for:
|
|
session state,
|
|
selected entry,
|
|
selected template,
|
|
current path,
|
|
current section,
|
|
search query,
|
|
dirty state,
|
|
status messaging,
|
|
and error state.
|
|
- Remove remaining direct UI-owned mutation of product state.
|
|
- Keep list, detail, breadcrumb, section, and selection behavior controller-driven.
|
|
|
|
Exit criteria:
|
|
- No core workflow depends on UI-local state as the authoritative source of vault data.
|
|
- UI list and detail rendering derive from controller or session state only.
|
|
- Controller behavior tests cover section switching, selection, search, and dirty-state transitions.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 2: Local Vault Lifecycle UI
|
|
|
|
Scope:
|
|
- Create new vault flow.
|
|
- Open local vault flow.
|
|
- Save current vault flow.
|
|
- Save-as local vault flow.
|
|
- Lock flow.
|
|
- Unlock flow.
|
|
- Visible error handling for invalid master key, unreadable file, decode failure, and missing path.
|
|
|
|
Exit criteria:
|
|
- A user can create, open, save, save-as, lock, and unlock a local vault through the UI.
|
|
- UI tests or controller-integrated tests cover each lifecycle path.
|
|
- Lifecycle actions update visible status and error messages consistently.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 3: Remote WebDAV Lifecycle UI
|
|
|
|
Scope:
|
|
- Open remote WebDAV vault flow.
|
|
- Save remote WebDAV vault flow.
|
|
- Visible handling for remote error states.
|
|
- Visible handling for conflict responses and retry-safe behavior.
|
|
|
|
Exit criteria:
|
|
- A user can open and save a remote WebDAV-backed vault through the UI.
|
|
- Conflict and transport failures surface a visible error state.
|
|
- WebDAV lifecycle tests cover open, save, and conflict behavior.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 4: Master Key Setup And Change Flows
|
|
|
|
Scope:
|
|
- Password-only setup and unlock.
|
|
- Key-file-only setup and unlock.
|
|
- Composite password-plus-key-file setup and unlock.
|
|
- UI for selecting master-key mode when creating a vault.
|
|
- UI for changing master-key mode on an existing vault where supported.
|
|
|
|
Exit criteria:
|
|
- All three master-key modes work through the product UI, not only storage helpers.
|
|
- Tests cover each mode for create, open, and unlock behavior.
|
|
- Validation and visible error states exist for missing or invalid key material.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 6: Entry CRUD UI
|
|
|
|
Scope:
|
|
- Create entry.
|
|
- Edit entry.
|
|
- Duplicate entry.
|
|
- Delete entry to recycle bin.
|
|
- Restore entry from recycle bin.
|
|
- Move entry between groups if needed for editing flow.
|
|
|
|
Exit criteria:
|
|
- All core entry CRUD actions are available from the UI.
|
|
- Entry editor supports title, username, password, URL, notes, tags, and custom string fields.
|
|
- Deletion routes entries to recycle behavior rather than permanent loss.
|
|
- Tests cover create, edit, duplicate, delete, and restore flows.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 7: Entry History UI
|
|
|
|
Scope:
|
|
- Browse history for the selected entry.
|
|
- Select a historical version.
|
|
- Restore a historical version into the current entry.
|
|
|
|
Exit criteria:
|
|
- Entry history is visible and restorable from the UI.
|
|
- History restore creates the expected new current state.
|
|
- Tests cover history listing and restore behavior.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 8: Group And Path Management UI
|
|
|
|
Scope:
|
|
- Create group.
|
|
- Rename group.
|
|
- Delete group.
|
|
- Breadcrumb-driven path navigation.
|
|
- Explicit navigation for templates and recycle bin.
|
|
- Move entries between groups.
|
|
|
|
Exit criteria:
|
|
- Nested group management works from the UI.
|
|
- Breadcrumb navigation and group listing are controller-driven.
|
|
- Templates and recycle-bin locations are explicit and navigable.
|
|
- Tests cover create, rename, delete, navigate, and move behavior.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 9: Search Completion
|
|
|
|
Scope:
|
|
- Current-group listing.
|
|
- Global search.
|
|
- Visible path context in results.
|
|
- Explicit behavior for templates search.
|
|
- Explicit behavior for recycle-bin search.
|
|
- Clear and reset behavior.
|
|
|
|
Exit criteria:
|
|
- Search behavior is consistent across desktop and phone layouts.
|
|
- Search results always retain visible path context.
|
|
- Template and recycle-bin search behavior is defined and tested.
|
|
- Tests cover clear/reset transitions.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 10: Template CRUD UI
|
|
|
|
Scope:
|
|
- Create template.
|
|
- Edit template.
|
|
- Delete template.
|
|
- Browse template list.
|
|
- Instantiate a template with overrides.
|
|
|
|
Exit criteria:
|
|
- Templates are manageable from the UI.
|
|
- Template instantiation can create a real entry with overrides.
|
|
- Tests cover template CRUD and instantiation behavior.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 11: Attachment Workflow UI
|
|
|
|
Scope:
|
|
- Add attachment.
|
|
- List attachments.
|
|
- Export attachment.
|
|
- Replace attachment.
|
|
- Remove attachment.
|
|
- Error and size handling.
|
|
|
|
Exit criteria:
|
|
- Attachments are manageable from the UI end to end.
|
|
- Attachment workflows are covered by tests.
|
|
- Replace and remove behavior preserve expected vault state.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 12: Password Generation UX
|
|
|
|
Scope:
|
|
- Expose password generation profiles in the UI.
|
|
- Allow generated passwords to populate the active entry form.
|
|
- Keep generator behavior aligned with gRPC.
|
|
|
|
Exit criteria:
|
|
- Users can generate a password from the UI without leaving the entry workflow.
|
|
- Profile selection is visible and tested.
|
|
- Generated values flow into entry create and edit forms correctly.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 13: Copy, Reveal, And Secret Transfer UX
|
|
|
|
Scope:
|
|
- Copy username.
|
|
- Copy password.
|
|
- Copy URL.
|
|
- Reveal or hide password.
|
|
- Visible copy feedback.
|
|
- Secret-safe error and status behavior.
|
|
- Optional timed clipboard clearing if retained.
|
|
|
|
Exit criteria:
|
|
- Copy and reveal flows work in the UI end to end.
|
|
- Clipboard feedback is visible and non-secret-bearing.
|
|
- If timed clearing exists, it is tested.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 14: gRPC Lifecycle API
|
|
|
|
Scope:
|
|
- Session status RPC.
|
|
- Open local vault RPC.
|
|
- Open remote vault RPC.
|
|
- Save vault RPC.
|
|
- Lock vault RPC.
|
|
- Unlock vault RPC.
|
|
|
|
Exit criteria:
|
|
- Trusted clients can manage vault lifecycle through gRPC.
|
|
- Authentication and error contracts are consistent across lifecycle methods.
|
|
- Lifecycle gRPC integration tests pass.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 15: gRPC Mutation API
|
|
|
|
Scope:
|
|
- Entry mutation RPCs.
|
|
- Group mutation RPCs.
|
|
- Template mutation RPCs.
|
|
- History restore RPCs.
|
|
- Attachment upload, download, list, and delete RPCs.
|
|
- Copy-field RPCs.
|
|
- Password generation RPC.
|
|
|
|
Exit criteria:
|
|
- Trusted clients can perform all major mutation workflows through gRPC.
|
|
- The API does not depend on UI-local state.
|
|
- Integration tests cover the mutation surfaces.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 16: Accessibility And Keyboard-First Behavior
|
|
|
|
Scope:
|
|
- Keyboard navigation for search, list, detail, dialogs, and breadcrumbs.
|
|
- Shortcuts for save, lock, new entry, search focus, and field copy actions.
|
|
- Visible focus states.
|
|
- High-DPI sanity coverage.
|
|
- Screen-reader-conscious labels where Gio permits.
|
|
|
|
Exit criteria:
|
|
- Core workflows are operable without a pointing device on desktop.
|
|
- Keyboard shortcuts exist for major actions and are tested.
|
|
- Focus and accessibility states are visible and intentional.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 21: Accessibility Fill Generalization
|
|
|
|
Scope:
|
|
- Extend Android accessibility-based fill beyond the current Chrome demo path.
|
|
- Support package-specific rules so apps with stable package identities can have tailored matching behavior.
|
|
- Support view-id matching so custom login forms can be identified more reliably than by generic hints alone.
|
|
- Support app allowlists so only approved apps/packages are eligible for accessibility-based credential fill.
|
|
- Require an approval step before filling into a newly seen app/package unless the user has already made a persistent decision.
|
|
|
|
Exit criteria:
|
|
- The design for package-specific rules, view-id matching, app allowlists, and first-fill approval is implemented or broken into executable sub-slices.
|
|
- Accessibility fill no longer depends solely on Chrome-style generic username/password heuristics.
|
|
- New app/package fill attempts can be allowed, denied, or made persistent by the user.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 17: UI Completion And Error Surfaces
|
|
|
|
Scope:
|
|
- Empty states.
|
|
- Loading states.
|
|
- Error states.
|
|
- Lock screen.
|
|
- Master-key prompts.
|
|
- Save conflict surfaces.
|
|
- Remove remaining prototype-only affordances.
|
|
|
|
Exit criteria:
|
|
- Core product workflows no longer rely on prototype-style hidden assumptions.
|
|
- Lock, error, loading, and empty states are visible and intentional.
|
|
- UI tests or controller-integrated tests cover these states.
|
|
- `go test ./...` passes.
|
|
|
|
### Segment 20: Regression And Integration Coverage
|
|
|
|
Scope:
|
|
- Add integration coverage for reopen/save cycles.
|
|
- Add regression coverage for stable entry IDs.
|
|
- Add regression coverage for remote save and reopen.
|
|
- Add regression coverage for history, recycle bin, templates, groups, and attachments together.
|
|
|
|
Exit criteria:
|
|
- Cross-feature regressions have dedicated tests.
|
|
- Stable identity and persistence guarantees are covered by tests.
|
|
- `go test ./...` passes.
|
|
|
|
## Global Exit Criteria
|
|
|
|
Do not treat the product as complete until all of the following are true:
|
|
|
|
- All remaining numbered segments, API segments, and UI review follow-ups are complete.
|
|
- KeePassGO can create, open, edit, save, save-as, lock, and unlock local KDBX databases through the UI.
|
|
- KeePassGO can open and save remote WebDAV-backed KDBX databases through the UI, including visible conflict and error handling.
|
|
- KeePassGO supports master password, key file, and composite key workflows in the product.
|
|
- KeePassGO supports nested groups, path-aware navigation, explicit template navigation, and explicit recycle-bin navigation.
|
|
- KeePassGO supports entry create, edit, duplicate, delete, restore, history browse, and history restore through the UI.
|
|
- KeePassGO supports title, username, password, URL, notes, tags, and custom string fields through the UI.
|
|
- KeePassGO supports attachment add, replace, remove, list, and export through the UI.
|
|
- KeePassGO supports reusable templates through the UI and through the gRPC API.
|
|
- KeePassGO supports current-group listing, global search, and visible path context consistently across desktop and phone layouts.
|
|
- KeePassGO supports copy username, copy password, copy URL, and reveal or hide password behavior end to end.
|
|
- KeePassGO exposes password generation profiles through both UI and gRPC.
|
|
- The secure gRPC API is broad enough for trusted automation and browser-extension-style integration.
|
|
- Keyboard-first navigation and common shortcuts exist for major product workflows.
|
|
- The UI no longer depends on prototype-only mock behavior for any core workflow.
|
|
- `go test ./...` passes.
|
|
- `go tool golangci-lint run ./...` passes.
|