- Pack signature accepts optional salt, writes 16-byte salt between header and TOC
- Set flags bit 4 and adjust toc_offset to 56 when salt present
- read_archive_metadata returns salt alongside header and TOC entries
- Add read_archive_salt() public helper for pre-unpack salt reading
- main.rs uses resolve_key_for_pack/resolve_key_for_unpack for two-phase password flow
- Add 5 new integration tests: password roundtrip, wrong password rejection,
salt flag presence, no-salt flag for key archives, directory password roundtrip
- All 52 tests pass (25 unit + 7 golden + 20 integration)
- Add hex dependency for --key hex decoding
- Add KeyArgs (--key, --key-file, --password) as clap arg group on top-level CLI
- Replace hardcoded KEY constant with resolve_key() supporting hex and file sources
- Refactor pack/unpack to require key parameter, inspect accepts optional key
- Wire CLI key resolution to archive functions in main.rs
- Inspect works without key (header only) or with key (full TOC listing)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pack changes:
- Split into path-collection (sequential) + crypto-processing (parallel)
- Introduce CollectedEntry enum to separate directory walk from file processing
- process_file() now creates thread-local RNG instead of taking &mut Rng
- File entries processed via rayon into_par_iter(), preserving deterministic order
Unpack changes:
- Phase 1: Sequential read of all ciphertexts from archive (single file handle)
- Phase 2: Create all directories sequentially (parent-before-child ordering)
- Phase 3: Parallel verify/decrypt/decompress/write via rayon par_iter
- Phase 4: Sequential result reporting for deterministic output
- Collect results into Vec<UnpackResult> to avoid interleaved stdout/stderr
- Bump VERSION constant from 1 to 2
- Add entry_type (u8) and permissions (u16) fields to TocEntry struct
- Update write_toc_entry/read_toc_entry for new field order after name
- Update entry_size formula from 101 to 104 + name_length
- Update all unit tests for v1.1 layout (new fields, version 2, sizes)
- Add placeholder entry_type/permissions to archive.rs ProcessedFile for compilation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- pack(): generate decoy padding (64-4096 random bytes per file)
- pack(): encrypt serialized TOC with AES-256-CBC using random toc_iv
- pack(): XOR header buffer before writing (8-byte cyclic key)
- pack(): set flags bits 1-3 (0x0E) for all obfuscation features
- unpack(): XOR bootstrapping via read_header_auto()
- unpack(): decrypt TOC when flags bit 1 is set
- inspect(): full de-obfuscation via shared read_archive_metadata()
- Factor out read_archive_metadata() helper for unpack/inspect reuse
- All existing tests pass (unit, golden, round-trip integration)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
