Files
keepassgo/AGENTS.md
T
2026-03-29 11:04:38 -07:00

129 lines
5.4 KiB
Markdown

# Product Requirements
These instructions apply to all future work in this repository.
## Product Intent
- Build the product under the user-facing name `KeePassGO`.
- Build a real password manager product in Go.
- Keep Windows and Linux as first-class desktop targets.
- Keep Android as a future target, but do not distort the desktop product to chase Android prematurely.
- Preserve compatibility with KeePass/KDBX so the app can coexist with KeePass2Android.
- Use maintained upstream libraries for KDBX parsing, crypto, and other behavioral requirements when a maintained library is a good fit.
## Skills
- Use the installed Go skills whenever they materially apply to the current slice of work.
- The available Go skills for this repository are:
`go-code-review`,
`go-concurrency`,
`go-context`,
`go-control-flow`,
`go-data-structures`,
`go-declarations`,
`go-defensive`,
`go-documentation`,
`go-error-handling`,
`go-functional-options`,
`go-functions`,
`go-generics`,
`go-interfaces`,
`go-linting`,
`go-logging`,
`go-naming`,
`go-packages`,
`go-performance`,
`go-style-core`,
`go-testing`.
- In particular:
use `go-testing` for test-first slices and behavior tests,
`go-packages` for package boundaries and dependency layout,
`go-linting` for `golangci-lint`,
`go-code-review` when reviewing risky changes,
`go-interfaces` for seams and test doubles,
`go-error-handling` for error contracts,
`go-concurrency` and `go-context` for concurrent or cancellable flows,
and the remaining skills whenever their topic is directly implicated by the work.
## Required Feature Parity Targets
These are the KeePass 2.57.1 capabilities that this product should explicitly target, subject to platform constraints.
- Database lifecycle:
create, open, edit, save, save-as, and lock/unlock KDBX databases.
- Master key support:
master password, key file, and composite master key support.
- KDBX compatibility:
preserve interoperability with KeePass/KeePass2Android-compatible databases.
- Database security settings:
support the major KeePass-style encryption and KDF configuration choices that are represented in KDBX databases.
- Groups and paths:
nested groups, entry paths, and path-aware navigation.
- Entry fields:
title, username, password, URL, notes, tags, and custom string fields.
- Search:
current-group listing, global search, and search results with visible path context.
- Entry data transfer:
copy username, copy password, copy URL, and password reveal/hide controls.
- Password generation:
strong password generation with configurable rules and reusable profiles.
- Entry history and recycle semantics:
support entry history and deletion/recovery behavior compatible with KeePass expectations.
- Attachments:
store and retrieve file attachments in entries.
- Templates:
support entry templates or an equivalent reusable-entry mechanism.
- Programmatic integration:
provide a secure gRPC API for trusted clients such as browser extensions and local automation.
- Desktop automation:
either provide a desktop login automation mechanism comparable in purpose to KeePass auto-type, or document why the secure gRPC integration surface supersedes it.
- Import/export:
KDBX import/export is mandatory; additional import/export formats are desirable but secondary.
- WebDAV workflow:
direct remote-file workflows must exist and be treated as a first-class product feature.
- Accessibility and keyboard use:
keyboard-first operation, high-DPI support, and screen-reader-conscious design.
These features are product requirements, not “nice to have” ideas.
## UX Direction
- Desktop and phone layouts may differ significantly.
- Desktop should optimize for information density and low-friction navigation.
- Phone should optimize for low tap count, not purity of mobile patterns.
- The stacked phone layout is the current preferred phone direction.
- Do not reintroduce the abandoned phone flow mode unless explicitly requested.
## Architecture
- Separate domain logic from Gio UI code.
- UI state should not be the source of truth for vault structure or search behavior.
- Domain packages must be test-driven where practical.
- Prefer behavior-oriented tests that describe expected product behavior rather than implementation details.
- Provide a secure gRPC API as a first-class programmatic surface, not as a thin wrapper around UI state.
- Design browser-extension and automation integrations against the gRPC API, not against ad hoc local protocols.
## Delivery Discipline
- Do not treat this product as complete until the stated requirements in this file are actually satisfied.
- Do not stop at a “good checkpoint” or “meaningful tranche” when required product capabilities are still missing.
- Continue iterating in test-first slices:
add or extend behavior tests,
implement the minimum code to satisfy them,
verify with `go test ./...` and relevant lint checks,
and commit each completed behavior.
- Only stop before the requirements are satisfied if the work is genuinely blocked by a missing decision, missing external dependency, or a hard technical constraint that cannot be resolved within the repo.
- If blocked, state the blocker concretely and stop only at that point.
## Persistence and Sync
- Plan for direct KDBX support.
- Plan for direct WebDAV-based workflows.
- Avoid adding npm-based or browser-stack dependencies.
## Tooling
- Keep `golangci-lint` passing.
- Keep `go test ./...` passing.
- Do not commit generated binaries.