1. On your NAS: Initialize git repo for your base password store

   cd /nas/firefox/
   git init
   git add passwords.csv
   git commit -m "Initial password base"

2. On your machine: Export Firefox passwords to export.csv

   Firefox → Settings → Privacy & Security → Passwords → ⋯ → Export Passwords

   Note	Save the exported CSV file (Firefox export format with plaintext passwords)

3. Merge into base:

   fpm /nas/firefox/passwords.csv ~/Downloads/export.csv

4. Review and apply:

   fpm -f /nas/firefox/passwords.csv ~/Downloads/export.csv

5. Commit changes:

   cd /nas/firefox/
   git add passwords.csv
   git commit -m "Merged passwords from laptop"

Options:

-f

Apply changes (default: dry-run)

-q

Quiet mode (only errors/warnings)

-d

Debug level 1 (default, summary + important changes)

-dd

Debug level 2 (show all changes including metadata)

-sort

Sort output by URL and username (makes manual review easier, helps spot case-variation duplicates)

Examples:

For each unique credential (url, username, formActionOrigin):

Automatically resolved:

• Password updated on one machine (newer timePasswordChanged wins)

• Metadata changes (merge to most recent values)

• New passwords created after last git commit

• Passwords deleted from git history

Requires user input:

• Different passwords with identical timePasswordChanged timestamps

• Old passwords in export that never existed in git history

When same password exists in both files:

• timeLastUsed: max (most recent)

• timeCreated: min (earliest)

• timePasswordChanged: from version with newer change

Shows full details for all changes including all metadata updates.

Only shows errors and warnings, useful for scripts.

The tool checks git history to find passwords that were previously committed but are now missing. This prevents re-adding passwords you intentionally deleted.

How it works:

1. Parse current passwords.csv (HEAD)

2. Parse last 10 commits touching the file

3. Identify credentials that existed before but not now

4. Mark as "intentionally deleted"

If passwords.csv is not in a git repo:

• Falls back to conservative mode

• Adds new passwords by default

• Asks for confirmation on ambiguous cases

This tool uses the external git command instead of a Go git library (like go-git). Here’s the rationale:

Advantages of external git command:

• Zero dependencies: No additional Go dependencies for git operations

• Smaller binary: No 5-10MB library overhead

• Simple operations: Our git needs are basic (log, show, diff, commit)

• User familiarity: Users likely already have git installed for password versioning

• Readable code: git show commit:file is clearer than library-specific APIs

• Platform consistency: System git respects user’s git config and behavior

Disadvantages of external git command:

• External dependency: Requires git binary to be installed and in PATH

• Platform variations: Git behavior can vary slightly across platforms

• Process overhead: Spawning processes is slower than in-process calls

• Error parsing: Must parse text output instead of structured errors

• Security considerations: Need to validate inputs to prevent command injection

To prevent security issues when using external git commands, this tool:

• Validates commit hashes match the pattern ^[a-f0-9]{7,40}$

• Uses -C directory flag instead of cd to avoid directory traversal

• Never passes user input directly to git commands without validation

• Uses fixed arguments for git operations where possible

This tool implements multiple security measures to protect your credentials:

Binary Hardening:

The binary is built with security-hardening compiler flags:

• CGO_ENABLED=0 - Pure static Go binary (no C dependencies, no shared libraries, no LD_PRELOAD attacks)

• -s - Strips symbol table (reduces attack surface, smaller binary)

• -w - Strips DWARF debug information (prevents reverse engineering)

• -trimpath - Reproducible builds (removes local path information)

• -buildvcs=false - Deterministic builds (removes VCS metadata)

For detailed flag documentation, see: https://pkg.go.dev/cmd/link

Supply Chain Security:

• Zero external dependencies - Only Go standard library (no supply chain risk)

• SBOM generation - Software Bill of Materials via make sbom

• Reproducible builds - Same source = same binary

• Vulnerability scanning - Regular govulncheck and Trivy scans

Code Security:

• Input validation - Git commit hashes validated with ^[a-f0-9]{7,40}$

• Command injection prevention - No user input passed directly to shell

• gosec SAST - Static analysis for security issues (see .golangci.yml)

• Semgrep analysis - Additional SAST with security-focused rules

Operational Security:

• Security scanning - Run make security for comprehensive scans

• Seccomp syscall filtering - Optional blacklist blocks networking and dangerous syscalls (see SECCOMP.md)

• Security policy - See SECURITY.md for reporting vulnerabilities

• Threat model - See THREAT_MODEL.md for detailed risk analysis

Reporting Security Issues:

Please report security vulnerabilities to: [email protected]

See SECURITY.md for our full security policy and responsible disclosure process.

For additional security, you can run fpm with Seccomp-BPF filtering to block dangerous system calls:

Benefits:

• Even if exploited, attacker cannot open network connections

• Reduces attack surface by blocking unnecessary syscalls

• Zero performance impact (kernel-level BPF filtering)

• Used by Chrome, systemd, Docker for sandboxing

See SECCOMP.md for complete documentation, usage examples, and the full syscall blacklist.

Modern software supply chain attacks target dependency ecosystems. A single compromised package can affect thousands of downstream projects. For a password management tool, the attack surface must be minimal.

Comparison with similar tools:

Attack surface reduction:

• No supply chain risk: Cannot be compromised via dependency poisoning

• No automated updates: Dependabot/Renovate removed (nothing to update)

• Audit simplicity: Only need to audit this codebase + Go stdlib

• Build reproducibility: Builds are deterministic with locked Go version

• Long-term stability: No breakage from upstream dependency changes

• Static linking: Binary has no shared library dependencies (no libc, no LD_PRELOAD attacks, no /usr/lib compromise vectors)

Runtime external dependencies:

The only external binary this tool executes is git (when operating on git-tracked password files). This is the sole external attack vector at runtime. The tool validates all inputs to git commands (commit hash validation, fixed arguments, etc.) to minimize command injection risks.

This tool will build and run identically in 5+ years with the same Go toolchain.

Firefox’s CSV export has several non-standard formatting quirks that this tool handles correctly:

Line Endings: CRLF (\r\n)

Firefox uses Windows-style line endings regardless of platform. The tool preserves this format when writing merged files.

Quote Handling: Non-standard

Firefox uses inconsistent quoting that doesn’t strictly follow RFC 4180. The tool uses Go’s LazyQuotes mode to parse these files correctly.

httpRealm Field: Special case

When the httpRealm field is empty, Firefox writes it as ,, (unquoted empty value between commas). Non-empty values are quoted normally: "Protected Area". This is the only field with this behavior.

# httpRealm empty (unquoted)
"https://example.com","user","pass",,"https://example.com/login",...

# httpRealm with value (quoted)
"https://api.example.com","admin","pass","Protected Area","https://api.example.com",...

Internal Quotes: Standard escaping

Quotes within field values are escaped using double quotes: "pass""word" represents pass"word.

All Other Fields: Always quoted

All fields except empty httpRealm are always quoted, even if they don’t contain special characters.

These quirks are tested explicitly in the test suite (TestFirefoxCSVQuirks_*) to ensure compatibility with actual Firefox exports.

When importing a merged CSV file back into Firefox, you may encounter the following issues:

Duplicate GUID Error: "Error: Missing field"

If the CSV contains two rows with the same GUID but different URLs or usernames, Firefox will import the first entry successfully and report "Error: Missing field" for the second entry. This confusing error message actually indicates a duplicate GUID conflict.

Resolution: Ensure all GUIDs in the merged file are unique. The tool does not currently detect or fix duplicate GUIDs automatically.

Case-Insensitive Duplicate Detection (Probable): "Error: Missing field"

Firefox appears to perform case-insensitive duplicate detection during import. If you have two entries for the same website with usernames that differ only by case (e.g., [email protected] and [email protected]), Firefox will likely import the first entry alphabetically and reject the second with "Error: Missing field". This behavior has been observed but not verified in Firefox source code.

# Both entries present in CSV
"https://example.com","[email protected]","pass1",,...
"https://example.com","[email protected]","pass2",,...

# Firefox imports only one, reports "Missing field" for the other

Resolution: Before importing, review the sorted CSV file for case variations of the same username. Use the -sort flag to make these duplicates easier to spot:

fpm -f -sort passwords.csv export.csv

Remove duplicate entries manually, keeping only the preferred case variation.