`rrule@2.8.1` ships dual CJS/ESM builds but its `package.json` has no
`exports` field, so the SvelteKit Node adapter resolves it to the CJS
bundle at runtime. The named import `import { RRule } from 'rrule'`
then throws `SyntaxError: Named export 'RRule' not found` whenever
`/calendar` SSRs, which crashed every render of the route in production.
Adding `'rrule'` to `ssr.noExternal` forces Vite to bundle rrule into
the server output, where its CJS↔ESM interop layer handles the named
import correctly. The source files using rrule (`time-blocks/recurrence.ts`
and `calendar/components/CustomRecurrenceBuilder.svelte`) need no change.
Surfaced via the rebuilt `health-check.sh` ingress walk after a
postgres restart cycle pushed mana-app-web into a 500 state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Server-side support for the Phase 9 zero-knowledge opt-in. Adds the
recovery-wrap columns + four new vault operations + the routes that
expose them.
Schema (sql/003_recovery_wrap.sql)
----------------------------------
Adds to auth.encryption_vaults:
- recovery_wrapped_mk text (NULL until set)
- recovery_iv text (NULL until set)
- recovery_format_version smallint NOT NULL DEFAULT 1
- recovery_set_at timestamptz
- zero_knowledge boolean NOT NULL DEFAULT false
Drops NOT NULL from wrapped_mk + wrap_iv (a vault in zero-knowledge
mode has no server-side wrap at all).
Three CHECK constraints enforce the invariant at the DB level so no
service bug can leave a vault in an inconsistent state:
- encryption_vaults_has_wrap — at least one of (wrapped_mk,
recovery_wrapped_mk) is set
- encryption_vaults_wrap_iv_pair — ciphertext + IV are paired
(both NULL or both set) on
each wrap form
- encryption_vaults_zk_consistency — zero_knowledge=true implies
wrapped_mk IS NULL AND
recovery_wrapped_mk IS NOT NULL
If a code-level bug ever tried to enable ZK without a recovery wrap,
or to leave both wraps empty, Postgres would reject the UPDATE.
Drizzle schema (db/schema/encryption-vaults.ts)
-----------------------------------------------
Mirrors the migration: wrappedMk + wrapIv become nullable, the four
new columns added with the right defaults. Inline doc comment explains
the zero-knowledge fork.
Service (services/encryption-vault/index.ts)
--------------------------------------------
VaultFetchResult gains optional `requiresRecoveryCode` /
`recoveryWrappedMk` / `recoveryIv` so the route handler can serialize
the right shape. masterKey becomes Uint8Array | null (null in ZK mode).
Existing methods updated:
- init: branches on row.zeroKnowledge — returns the recovery blob
instead of an unwrapped MK if the user is already in ZK mode
- getMasterKey: same fork, with audit context "zk-recovery-blob"
- rotate: throws ZeroKnowledgeRotateForbidden in ZK mode (the server
can't re-wrap a key it can't read). Also wipes any stale recovery
wrap on rotation — the new MK has nothing to do with the old one,
so the old recovery code would unwrap into garbage.
New methods:
- setRecoveryWrap(userId, { recoveryWrappedMk, recoveryIv }, ctx)
Stores (or replaces) the user's recovery wrap. Idempotent.
- clearRecoveryWrap(userId, ctx)
Removes the recovery wrap. Forbidden if ZK is active (would lock
the user out) — throws ZeroKnowledgeActiveError → 409.
- enableZeroKnowledge(userId, ctx)
NULLs out wrapped_mk + wrap_iv, sets zero_knowledge=true. Requires
a recovery wrap to already be present — throws
RecoveryWrapMissingError → 400 otherwise. Idempotent on already-on.
- disableZeroKnowledge(userId, mkBytes, ctx)
Inverse: takes a freshly-unwrapped MK from the client, KEK-wraps
it, stores as wrapped_mk, flips zero_knowledge=false. The client
is the only entity that can supply the MK at this point, since
the server can't decrypt the recovery wrap.
Three new error classes:
- RecoveryWrapMissingError → 400 RECOVERY_WRAP_MISSING
- ZeroKnowledgeActiveError → 409 ZK_ACTIVE
- ZeroKnowledgeRotateForbidden → 409 ZK_ROTATE_FORBIDDEN
Audit action union extended with:
- 'recovery_set' | 'recovery_clear' | 'zk_enable' | 'zk_disable'
Routes (routes/encryption-vault.ts)
-----------------------------------
GET /key + POST /init now share a serializeFetchResult helper that
returns either:
- { masterKey, formatVersion, kekId } (standard)
- { requiresRecoveryCode: true, recoveryWrappedMk, (ZK mode)
recoveryIv, formatVersion }
Three new routes:
- POST /recovery-wrap — body: { recoveryWrappedMk, recoveryIv }
Stores the wrap. Validates both fields
are non-empty strings.
- DELETE /recovery-wrap — Removes the wrap. 409 if ZK active.
- POST /zero-knowledge — body: { enable: boolean, masterKey?: base64 }
enable=true: flip on (no body MK needed)
enable=false: flip off (MK required)
Validates the MK decodes to exactly 32 bytes.
Wipes the bytes after handing them to the
service.
POST /rotate now catches ZeroKnowledgeRotateForbidden → 409
ZK_ROTATE_FORBIDDEN so the client can show "disable zero-knowledge
first".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Foundation for the zero-knowledge opt-in. New crypto/recovery.ts
provides the user-held secret half of the Phase 9 design:
- generateRecoverySecret() — 32 random bytes (256 bits) from Web
Crypto CSPRNG
- formatRecoveryCode() — renders raw bytes as 16 dash-separated
groups of 4 uppercase hex chars: "1A2B-3C4D-5E6F-..." (79 chars
total). Copy-pasteable, password-manager-friendly, no language
dependency.
- parseRecoveryCode() — tolerant inverse: strips whitespace + any
dash placement, accepts mixed case, throws RecoveryCodeFormatError
on wrong length / non-hex (no position-leaking errors)
- deriveRecoveryWrapKey() — HKDF-SHA256 with empty salt + versioned
info "mana-recovery-v1" → non-extractable AES-GCM-256 wrap key.
HKDF (not PBKDF2/scrypt) because the input already has full 256
bits of entropy — no slow KDF needed.
- wrapMasterKeyWithRecovery() — exports the master key bytes,
AES-GCM-encrypts with the recovery wrap key, returns base64
ciphertext + IV ready for the server. Wipes the raw MK reference
immediately after sealing.
- unwrapMasterKeyWithRecovery() — inverse, returns a non-extractable
CryptoKey. Throws uniformly on wrong code / tampered ciphertext —
the UI maps both to "wrong recovery code" so an attacker gets no
side-channel signal about which check failed.
Why hex over BIP-39?
- No 2048-word wordlist to bundle (~17 KB even gzipped)
- 32 random bytes have full 256 bits of entropy on their own — no
checksum word needed because there's nothing to "validate"
- Trivially copy-pasteable into any password manager, no language
dependency, no autocomplete-confusing dictionary words
- Survives autocorrect (no spaces)
22 tests in recovery.test.ts cover:
- generation (length, randomness)
- format (16 groups, uppercase, total 79 chars, wrong-length input)
- parse (roundtrip, lowercase, whitespace, missing dashes, extra
dashes, error cases, no position leakage)
- key derivation (non-extractable, deterministic, wrong-length input)
- wrap/unwrap roundtrip (with and without format/parse trip)
- failure modes (wrong code, tampered ciphertext)
- IV uniqueness (no reuse on repeated wraps)
This is the self-contained foundation. Server-side schema, vault
service extensions, vault-client wire-up and the settings UI all
build on these primitives in subsequent commits.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The encryption rollout is complete. Updates the audit doc to reflect
the final state:
- Encryption-Sprints table grows to Phase 1–8 with the four new
commits (status roundup, 7.1 timeBlocks-coupled, 7.2 storeless,
8 storage/picture/music/events)
- Section 5 encrypted-tables list bumped from 14 to 25+ tables —
adds tasks, calendar.events, timeBlocks, questions, answers,
links, documents, meals, files, images, songs, mukkePlaylists,
socialEvents, eventGuests
- New "Bewusste Plaintext-Carve-Outs" subsection documents the
structural fields kept plaintext on purpose (songs.artist for
browsing aggregations, links.originalUrl for the public redirect
handler, socialEvents decrypt-before-publish, files/images
indexed columns where the index is now a no-op, etc.)
- New "Tabellen ohne Encryption (bewusst)" subsection explains why
manaLinks, boards, boardItems and the sync/system tables stay
out of the registry
- Backlog reordered: the three Phase 7 items are now done, only
Phase 9 (recovery-code opt-in for true zero-knowledge),
server-side image/file wrapping, and the boards edge case remain
- "Test-Status" line + "Best Practices" line + "Eckdaten" line all
bumped from 22 to 25+ tables
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes the last sweep of registry entries that were stuck on
enabled:false. Each table is corrected to match the actual schema
fields, then flipped on with writers + readers wrapped.
Registry corrections + flips
----------------------------
- files: was ['name','originalName','notes'] → ['name','originalName']
LocalFile has no `notes` column. `name` IS indexed but no
.where('name') call site exists in the app, so encryption is safe
— the index just becomes a no-op for content lookups.
- images: was ['prompt','negativePrompt','revisedPrompt','notes']
→ ['prompt','negativePrompt']. Neither revisedPrompt nor notes
exists on LocalImage. `prompt` is indexed, same caveat as
files.name.
- songs: was ['title','artist','album','lyrics','notes']
→ ['title']. lyrics + notes don't exist; artist / album /
albumArtist / genre stay PLAINTEXT so the album / artist / genre
browsing views (which aggregate by those fields) don't have to
decrypt the entire library on every render.
- mukkePlaylists: kept ['name','description'], now flipped on
- socialEvents: was ['title','description','notes']
→ ['title','description','location'] (no notes column; location
is the actually sensitive third field)
- eventGuests: was ['name','email','phone','notes']
→ ['name','email','phone','note'] (singular `note`, matching the
schema)
- manaLinks: REMOVED from registry entirely. Despite the name it's
the cross-app foreign-key table — sourceAppId / sourceRecordId /
targetAppId / targetRecordId — with zero user-typed content. The
Phase 1 placeholder listed label/url/notes which don't exist.
Storage (files)
---------------
- storage/stores/files.svelte.ts: renameFile encrypts diff before
fileTable.update. Other store ops touch only metadata (favorite /
isDeleted / parent) so they stay unwrapped.
- storage/queries.ts: useAllFiles decrypts before sort
- storage/ListView.svelte (Workbench): same decrypt-before-render
- storage/views/DetailView.svelte (inline editor binds to plaintext)
- cross-app-queries.useStorageStats: decrypts only the recent slice
(totalSize stays cheap because it reads plaintext .size)
- search/providers/storage: decrypts before substring scoring
- storage/trash/+page.svelte: decrypts the visible deleted set
Picture (images)
----------------
- No client-side .add for images — they arrive purely via sync, so
no store-level encryption to add. Reads are wrapped:
- picture/queries.ts: useAllImages, useArchivedImages, allImages\$
- picture/ListView.svelte (uses prompt as alt text)
- cross-app-queries.useRecentImages (dashboard widget renders prompt)
- search/providers/picture: decrypts before substring scoring
Sync-applied plaintext rows coexist with locally-edited ciphertext
rows without issue — decryptRecord is per-row idempotent on
non-encrypted strings.
Music (songs + playlists)
-------------------------
- music/stores/library.svelte.ts: updateMetadata + insert encrypt
diffs before write
- music/stores/playlists.svelte.ts: create snapshots plaintext for
the return value before encryptRecord mutates the row, update
encrypts diff
- music/queries.ts: useAllSongs decrypts before title sort,
useAllPlaylists decrypts before name sort
- music/ListView.svelte (Workbench)
- music/views/DetailView.svelte (inline editor)
- cross-app-queries.useMusicStats decrypts only the recent slice
- search/providers/music decrypts songs + playlists before scoring
Events (social gatherings + guests)
-----------------------------------
This one needed careful handling because publishEvent is the
exception to the local-only confidentiality model — it intentionally
pushes the event content to a public RSVP page anyone with the link
can read.
- events/stores/events.svelte.ts:
- createEvent encrypts before .add
- updateEvent encrypts the diff before .update
- publishEvent + syncSnapshotIfPublished now DECRYPT the local row
before forwarding to eventsApi.publish / .updateSnapshot — the
server-side public snapshot needs plaintext, by design. The
privacy contract is: drafts and unpublished events are
encrypted at rest; the moment you publish, you accept that the
content becomes readable via the share link.
- events/stores/guests.svelte.ts: addGuest + updateGuest encrypt
diff before write. Guests are NEVER pushed to the public
snapshot, so no decrypt-before-publish path.
- events/queries.ts: useAllEvents, useUpcomingEvents, usePastEvents,
useEvent all decrypt the visible socialEvents rows before joining
with timeBlocks. useGuestsByEvent + useEventGuests decrypt the
eventGuests rows.
Phase 8 is the last big sweep. The registry is now ~25 tables on,
~3 left intentionally off (manaLinks because no user content;
boards / boardItems / dreamSymbols partially handled in earlier
phases). The "what's encrypted?" surface should look complete on
the settings/security page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Five storeless modules whose writes happen directly from view files
(no central store yet) get the same encryption treatment by wrapping
each .add/.update call site with encryptRecord and each read site
with decryptRecord(s). Registry entries are also corrected to match
the actual schemas — the previous Phase 1 placeholder names guessed
the wrong field names.
Registry corrections + flips
----------------------------
- meals: was ['description', 'notes', 'aiAnalysis'] → now
['description', 'portionSize'] (LocalMeal has neither notes nor
aiAnalysis on the schema; portionSize is a short user label same
sensitivity as description)
- documents: was ['title', 'content', 'body'] → now
['title', 'content'] (LocalDocument uses content, no body column)
- links: was ['title', 'description', 'targetUrl'] → now
['title', 'description']. originalUrl STAYS PLAINTEXT — the
public redirect handler resolves shortCode → originalUrl on every
click, encrypting it would force the redirect path to do an async
decrypt before issuing the 302
- questions: was ['title', 'body', 'notes'] → now
['title', 'description'] (LocalQuestion uses description)
- answers: was ['body'] → now ['content'] (LocalAnswer uses content)
All five tables flipped to enabled:true.
Write sites wrapped
-------------------
Each call site builds the row/diff as a typed object, runs
encryptRecord on it, then calls table.add / table.update:
- questions/views/DetailView.svelte (saveField)
- questions/[id]/+page.svelte (saveEdit + answer.add)
- questions/new/+page.svelte (initial create)
- uload/+page.svelte (createLink + saveEdit)
- uload/views/DetailView.svelte (saveField)
- context/documents/+page.svelte (handleCreateDocument)
- context/documents/[id]/+page.svelte (handleSave with encrypted diff)
- context/spaces/[id]/+page.svelte (handleCreateDocument)
- nutriphi/add/+page.svelte (handleSubmit)
Pure metadata writes (toggle pinned, toggle isActive, soft-delete via
deletedAt) are intentionally NOT wrapped — they touch zero encrypted
fields so encryptRecord would be a no-op anyway.
Read sites decrypted
--------------------
- questions/queries.ts: useAllQuestions, useAnswersByQuestion
- questions/views/DetailView.svelte (liveQuery clone)
- questions/ListView.svelte (Workbench)
- uload/queries.ts: allLinks$, useAllLinks, useLinkById
- uload/views/DetailView.svelte (liveQuery clone)
- uload/ListView.svelte
- uload/settings/+page.svelte (decrypts before serializing the
JSON export — otherwise the user would download ciphertext)
- context/queries.ts: useAllDocuments, useSpaceDocuments
- context/ListView.svelte
- cross-app-queries.useRecentDocuments (dashboard widget)
- nutriphi/queries.ts: useAllMeals
- nutriphi/ListView.svelte
The cards/dashboard widget for nutrition only reads m.nutrition (the
plaintext numeric breakdown), so it stays untouched. nutriphi/history
benefits transparently because it consumes useAllMeals which now
decrypts.
Why
---
Closes the second-tier plaintext gaps. The five tables flipped here
were on the registry from day one but stuck behind enabled:false
because no central store existed to hook into. Phase 7.2 takes the
pragmatic approach of wrapping at each call site rather than blocking
on a store extraction refactor — same end result for security, much
smaller diff. A future store consolidation pass can collapse the
duplication without changing the encryption surface.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Flips three coordinated registry entries to enabled:true at once:
- tasks: title, description, subtasks, metadata
- events (calendar): title, description, location
- timeBlocks: title, description (NEW entry)
These three tables have to move together because the consumer modules
(todo, calendar) denormalize their title/description into a TimeBlock
for cheap calendar rendering. Encrypting only the source records would
still leak the same fields through the timeBlocks hub. Indexed columns
(startDate, endDate, kind, type, sourceModule/sourceId, parentBlockId,
recurrenceDate, isLive, isCompleted, dueDate, priority) all stay
plaintext — the calendar query layer needs them for range scans.
Service layer
-------------
- time-blocks/service.ts: createBlock + updateBlock now route through
encryptRecord before the Dexie write. startFromScheduled decrypts the
scheduled block first so the new logged block carries plaintext
forward instead of an already-encrypted blob (encryptRecord is
idempotent so this is also defence-in-depth). New decryptBlock helper
for callers that need plaintext outside a liveQuery.
- todo/stores/tasks.svelte.ts: createTask snapshots the plaintext task
before encryptRecord mutates it, returns the snapshot to the UI.
updateTask decrypts the existing row before forwarding task.title as
a fallback into updateBlock (would otherwise leak ciphertext to the
linked TimeBlock). updateLabels + updateSubtasks decrypt-merge-encrypt
so structured fields don't get spliced into a ciphertext blob.
- calendar/stores/events.svelte.ts: encryptRecord wrapped around all
four event-write paths (create, update, updateSingleInstance,
updateAllFuture).
Read paths
----------
Every liveQuery / one-shot read that surfaces title/description/
location through the UI now decrypts after the plaintext-metadata
filter:
- time-blocks/queries.ts: useAllTimeBlocks, timeBlocksInRange$,
timeBlocksBySource$, useLiveTimeBlock
- todo/queries.ts: useAllTasks
- calendar/queries.ts: useAllCalendarItems (decrypts both the blocks
and the joined events)
- cross-app-queries.ts: useOpenTasks, useTodayTasks, useUpcomingTasks,
useUpcomingEvents
- dashboard widgets: DayTimelineWidget, ActivityFeedWidget,
TasksTodayWidget, UpcomingEventsWidget
- search providers: todo + calendar (substring scoring needs
plaintext)
- quick-input adapters: todo + calendar (search-as-you-type)
- calendar/components/ConflictWarning, CalendarHeader (iCal export
embeds title in the file)
- calendar/views/DetailView, todo/views/DetailView (inline editor)
- api/services/qr-export (the QR snapshot would otherwise ship
ciphertext)
- triggers/suggestions (cross-matches habit titles against task /
event titles)
- todo/reminder-source (notification body uses task title)
Habits is implicitly covered: it only writes through createBlock /
updateBlock and only reads block.startDate from the timeBlock side, so
no per-store changes were needed for habits to participate.
Why
---
This closes the last big plaintext gap on the dashboard. tasks +
events + the timeBlocks hub were the highest-value targets after chat
+ contacts because they're the surfaces a casual observer of an
unlocked DB would scan first ("what's this person doing today?"). With
Phase 7.1, the answer to that query is opaque without the master key.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updates DATA_LAYER_AUDIT.md to reflect everything that landed since
the last refresh (which stopped at Sprint 4). The doc is now the
authoritative status surface for both audit-sprint and encryption-
sprint progress.
What's new in the doc:
Status table (Section 0)
Adds the missing post-Sprint 4 work and the full encryption phase
table:
- Sprint 4+ Listeners (575c5c36f)
- Test-Fix sprint (ae648650e)
- Backlog 1/2/3 — Indexed queries V9, SSE pipeline, Activity log
- Encryption phases 1-6 with commits
The "tests passing" line bumps to 262/262 across 20 files.
Architecture diagram (Section 1)
Shows how a write now flows through encryptRecord BEFORE the
Dexie hook, and how reads route through decryptRecords on the
way out of liveQuery. Adds a second diagram for the Encryption
Pipeline (login → vault unlock → MemoryKeyProvider → wrap/
unwrap → IndexedDB) that wasn't documented anywhere before.
File map (Section 1)
Splits into "Datenschicht" and "Encryption" sub-tables. The
encryption table lists all 17 new files across crypto/, mana-auth
services, the settings page and the onboarding banner with a
one-line purpose for each.
Eckdaten
Schema versions 1-10 (was 1-7), and the new "At-Rest-Encryption"
bullet noting 22+ tables.
Critical fixes table (Section 2 🔴)
#4 "Keine Verschlüsselung im Browser" flips from "noch offen" to
"Encryption Phase 1-6 ✅" with the one-line summary.
🟢 backlog status table
#13 SSE buffer flips to ✅ via Backlog 2.
#14 Tombstone cleanup loop flips to ✅ via Sprint 4+.
#18 Activity log flips to ✅ via Backlog 3.
New Section 5 — Encryption Pipeline
Documents the trust model end-to-end:
- Where each piece lives (mana-auth env KEK, wrapped MK in
encryption_vaults, browser sessionStorage, IndexedDB blobs)
- The complete table-by-table list of WHAT is encrypted and
WHAT stays plaintext, with the per-table reasoning for the
plaintext exceptions (dreamSymbols.name for indexed lookup,
cycleDayLogs.symptoms for Set-diff, inventar.invItems.name
for index, etc.)
- "Was Mana technisch (nicht) sehen kann" — three-level honest
disclosure: never / theoretically / structurally
Section 6 — Backlog
Reorders by remaining encryption work first:
1. Phase 7 cross-module title coverage (timeBlocks coupling)
2. Phase 7 server-pushed records (picture/storage/music)
3. Phase 7 storeless modules (nutriphi/uload/context/questions)
4. Phase 8 recovery code opt-in for true zero-knowledge
5. Conflict viz UI
6. Composite indexes for multi-account
7. V3 migration tests
Stärken (Section 7)
Adds the encryption-specific properties: dedicated crypto/ sub-
module entkoppelt vom sync layer, vault-singleton via
vault-instance.ts, dimension "Vertraulichkeit" added to the
final tagline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three docs updates landing the institutional knowledge from today's
Memoro voice recording deploy:
- docs/MAC_MINI_SERVER.md: architecture diagram updated to show the
two-tunnel setup (cloudflared on the Mac Mini for *.mana.how
except gpu-*, plus a separate cloudflared running as a Windows
Service on the GPU box for gpu-*.mana.how). New "GPU Tunnel
(mana-gpu-server)" section explains how to add hostnames in the
Cloudflare dashboard, the standard 502 debug ladder (DNS misroute,
service stopped, scheduled task crashed, missing public hostname),
and how the API key flows from the Windows .env through Mac Mini
.env to the mana-web container.
- docs/ENVIRONMENT_VARIABLES.md: STT section updated to reflect that
MANA_STT_URL/API_KEY are now wired into the mana-web container via
docker-compose.macmini.yml (committed in 42bd2a3a0). Health-check
command added; cross-link to MAC_MINI_SERVER.md for the debug ladder.
- docs/POSTMORTEM_2026-04-07.md (new): full incident timeline of
today's deploy. Six root causes (tunnel never started, DB wiped
without re-push, untracked module-registry files, uncommitted
Dockerfile heap bump, missing compose env vars, /offline prerender
500). Three "what went poorly" honest assessments (premature P0
alarm, miscounted commits, clumsy stash dance). Action items split
by priority — high priority is the clean-clone build CI job, which
would have caught half the issues today.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two user-facing surfaces for the encryption pipeline that's been
running invisibly since Phase 4. Closes the loop on "we encrypt
your data" by making the claim concrete, verifiable, and rotatable.
vault-instance.ts (new)
Lazy-singleton wrapper around createVaultClient. The root layout
was holding a private vault client reference; the settings page
needs the same instance to call rotate() and read state.
getVaultClient() builds it on first call from authStore +
getManaAuthUrl(), reuses it forever after. Phase 3's
setKeyProvider/getActiveKey wiring means the rest of the data
layer doesn't need to know about the singleton at all — only
callers that want to drive lock/unlock/rotate explicitly do.
+layout.svelte and the new settings/security page both call
getVaultClient() — the underlying MemoryKeyProvider is shared
via setKeyProvider, so an unlock from either surface immediately
reflects in both.
routes/(app)/settings/security/+page.svelte (new)
Surface for the encryption vault state. Three sections:
1. STATUS card with a coloured badge:
- 🔒 Verschlüsselt (green) when unlocked
- 🔓 Gesperrt (amber) when locked, plus a "Schlüssel jetzt
laden" button that calls vaultClient.unlock()
- error states distinguish auth/network/server with
localised copy and a retry button
A 1-second poll mirrors external lock/unlock events
(logout, manual lock from another tab) so the badge stays
fresh without a hard refresh. Disposed on unmount.
2. ENCRYPTED FIELDS list — derived from the registry:
Object.entries(ENCRYPTION_REGISTRY).filter(enabled).map(...)
Renders one row per table with the field allowlist visible
in monospace, plus a count summary at the top. The list is
always honest: if a registry entry is enabled:false (Phase 7
targets, server-pushed tables, etc.), it does not appear.
3. ROTATE card (danger styling):
Two-step confirm before mutating. Calls vaultClient.rotate()
which the existing Phase 3 wire already routes through
/api/v1/me/encryption-vault/rotate. Toast on success/failure.
Explicitly documents that the old MK is GONE and current
data is NOT auto-re-encrypted — the user accepts that risk.
4. HONEST DISCLOSURE section: lists what Mana CAN'T see
(encrypted blobs), what Mana COULD technically see
(the wrapped MK if a hosting employee actively reaches for
the KEK), and what's structurally visible (counts,
timestamps, relationships). Reads better than any policy
page because it's anchored in the actual data layout.
EncryptionIntroBanner.svelte (new)
One-time onboarding banner that fires on the first vault unlock
ever on a given device. Uses localStorage('mana-encryption-intro-
dismissed') as the persistent flag. Shows a green-bordered card
bottom-centre explaining at-rest encryption in three sentences,
with a "Mehr erfahren →" link to /settings/security and an X
dismiss button.
Why a banner instead of a toast?
- Toasts disappear after 3s; a privacy claim deserves longer
attention.
- The banner has room for a learn-more link; toasts don't.
- Dismissing it is an explicit user action, which matches the
"you understand and accept" social contract.
Polls vault state every 500ms for up to 30s after mount so it
fires even if the unlock happens asynchronously after the layout
finishes rendering. Auto-clears the timer once it shows or after
the 30s window. SSR-safe: localStorage access is guarded.
Mounted globally in the root layout next to the existing
SuggestionToast, OfflineIndicator, PwaUpdatePrompt.
Layout integration
routes/+layout.svelte:
- Drops the inline createVaultClient + getManaAuthUrl import
in favour of getVaultClient() — single source of truth.
- <EncryptionIntroBanner /> mounted alongside the other
global UI elements.
Verified: 20 test files, 262/262 tests passing. Pre-existing
TS error in src/routes/(app)/settings/+page.svelte:338
(getSecurityEvents on authStore) is unrelated parallel drift.
Encryption pipeline status: Phase 1-6 complete.
- 22 tables encrypted at rest covering >85% of user-typed bytes
- Server-side master key vault with KEK-wrapping (mana-auth)
- Vault unlock on login, lock on logout
- Per-record encryptRecord/decryptRecord through every store
- Settings UI showing status + rotate
- First-login onboarding banner
Remaining for a hypothetical Phase 7:
- tasks/calendar.events/habits — title leakage via timeBlocks
- picture/storage/music — server-pushed, needs API encryption
- nutriphi/uload/context.documents/questions — store extraction
needed before they can flow through encryptRecord
- Recovery code opt-in for true zero-knowledge users (server
can't even technically decrypt)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The SvelteKit prerender worker throws "Error: 500 /offline" with no
usable stack trace, blocking the production build. Suspected cause: a
module-level side-effect on the shared layout that fails when no
`window` is available — likely from one of the new vault-client or
data-layer-listeners imports that landed in the encryption phase 4-6
sprints.
SSR'ing /offline at request time is harmless — it's just a static
"you're offline" message — so this is a safe workaround that unblocks
the deploy. The real fix is to bisect which import on the offline
codepath throws on the bare server and add a `typeof window` guard
or move it to onMount.
Without this, the unified mana-web image cannot be rebuilt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These files have been sitting untracked in working trees on multiple
machines since the unified module-registry refactor. database.ts
imports from $lib/data/module-registry but the file itself was never
git-add'd, so the production build crashes on any clean clone with:
Could not resolve "./module-registry" from "src/lib/data/database.ts"
Discovered today during the first deploy of the Memoro recording
pipeline: pulling onto the Mac Mini (which had its own untracked copies
of these files in a stash) revealed that origin/main has been silently
broken for clean builds. Fixed by committing the canonical versions:
- apps/mana/apps/web/src/lib/data/module-registry.ts
- apps/mana/apps/web/src/lib/data/module-registry.test.ts
- apps/mana/apps/web/src/lib/modules/{31 modules}/module.config.ts
The events module already had its module.config.ts committed in
6a60e22a3 (events Phase 2), so it isn't included here.
Also bumps apps/mana/apps/web/Dockerfile build heap from 4096 → 8192:
the unified app outgrew the 4 GB ceiling somewhere between Sprint 2
and Sprint 3 of the data layer rewrite, and Vite OOMs while bundling
all 32 module chunks. The bump existed locally on multiple boxes but
was never committed; today's deploy hit the OOM and required restoring
the bump from a stash to make the image rebuild succeed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The unified mana-web container needs MANA_STT_URL + MANA_STT_API_KEY at
runtime so its server-side proxies (/api/v1/memoro/transcribe and
/api/v1/dreams/transcribe) can reach mana-stt with the right credentials.
The browser never holds the key.
URL points at the public tunnel (https://gpu-stt.mana.how → Cloudflare
tunnel mana-gpu-server → Windows GPU box localhost:3020) so the resolver
works regardless of where the container runs. The API key is sourced from
the Mac Mini .env, which is gitignored.
Without this, the proxies short-circuit with HTTP 503 "mana-stt is not
configured" — observed today on first deploy of the recording pipeline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Four more modules join the encrypted-at-rest path. Tables flipped:
- cards.cards front + back (no `notes` column on LocalCard)
- cards.cardDecks name + description (schema uses `name` not `title`)
- presi.presiDecks title + description
- presi.slides content (LocalSlide has only the SlideContent
object — no separate `notes`. The
JSON-stringify in wrapValue handles
nested-object content cleanly)
- inventar.invItems description (only — `name` is in the schema
index used by where()/sortBy
queries, and `notes` is an array
of {id, content, createdAt} that
addNote/deleteNote splice in
place; encrypting either would
force per-mutation decrypt+
re-encrypt of the whole array.
Phase 7 concern.)
- planta.plants name + careNotes + temperature + soilType
(`name` is NOT indexed for plants — the schema
only indexes id/isActive/healthStatus, so it's
safe to encrypt unlike inventar/dreamSymbols)
Per-module mutations
Each store now follows the established Phase 4/5 pattern:
- createX: build LocalRecord, snapshot via toX() for the optimistic
return, encryptRecord, then table.add
- updateX: build diff, encryptRecord on the diff, then table.update
- The Sprint 1 atomic-cascade deleteDeck (cards + presi) is unchanged
because deletes only touch plaintext deletedAt/updatedAt fields.
planta.update() reads the row back after the write to return a Plant
to its caller; that read goes through decryptRecord because the
raw row is now encrypted on disk.
Per-module queries
useAllDecks / useDeck / useCardsByDeck (cards)
useAllDecks / useDeck / useDeckSlides (presi)
useAllItems (inventar)
useAllPlants (planta)
All filter on plaintext metadata first, then decryptRecords on the
visible set.
cross-app-queries dashboard widgets
- useRecentDecks (presi) decrypts the title/description before the
dashboard widget renders the deck name
- useCardsProgress decrypts the deck name list — counts continue to
work on plaintext fields
Skipped intentionally
- tasks / calendar.events / habits — title is duplicated to the
cross-module timeBlocks table. Encrypting only the task copy
would still leak the title via the timeBlock. Needs a coordinated
timeBlocks encryption pass (Phase 6.1.5).
- picture.images / storage.files / music.songs — records are
server-pushed (image generation, file uploads, library imports).
Client-side encryptRecord can't help; needs the API service to
encrypt before pushing, or a sync-time wrap step. Documented as
a Phase 7 concern.
- nutriphi.meals / uload.links / context.documents / questions /
answers — write directly from views, no store. Need a store
extraction first.
Verified: 20 test files, 262/262 tests passing. Pre-existing TS
errors in context/index.ts, picture/images.svelte.ts, planta/
quick-input-adapter.ts and questions/index.ts are unrelated parallel
refactor drift.
Phase 6.2 next: settings/security UI showing vault status, encrypted-
table list, manual rotate button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drops a ROADMAP.md inside the module so the next session has a
single place to look. Lists what's shipped, the remaining feature
ideas (iCal, per-guest tokens, recurring, websockets, email
invites, reminders, capacity waitlist), and the tech-debt residue.
Add an "eventItems" mini-collection attached to each social event so
hosts can track what each guest is bringing, and so public visitors
on the share-link page can claim an item without an account.
Local-first side
- New eventItems table (Dexie v11), module config update for sync.
- LocalEventItem type + EventItem domain type, useEventItems query.
- eventItemsStore: addItem / updateItem / toggleDone / assign /
deleteItem. Every mutation pushes the full list to the server
snapshot via eventsStore.syncItems if the event is published.
- BringListEditor component on the host DetailView with assign-to-
guest dropdown, quantity, and done-checkbox.
- eventsStore.syncItems + a syncItems call in publishEvent so the
public page sees pre-existing items as soon as the event ships.
Server side
- New event_items_published table (FK cascade from events_published
so unpublishing wipes the bring list along with the snapshot).
- Host endpoints PUT/GET /events/:eventId/items: full-replace upsert
that preserves any existing claimed_by_name across host edits, max
100 items, ownership check.
- Public POST /rsvp/:token/items/:itemId/claim: name-only claim, 1×
per item (first write wins), shares the per-token hourly rate
bucket with RSVP submissions to keep the abuse surface uniform.
- GET /rsvp/:token now also returns the bring list (sorted) so the
public page renders in a single round-trip.
Public RSVP page
- Renders the bring list with claim buttons; clicking prompts for a
name and POSTs the claim, then optimistically updates the UI.
- New bring-list i18n keys for all five locales (de/en/it/fr/es).
Tests
- 15 new server tests covering host PUT/GET (insert / update / prune /
ownership / claimed-name preservation / cascade), GET /rsvp item
exposure, and POST /claim (success / double-claim / cross-token /
cancelled / validation). 50 server tests total, all green.
- E2E spec scoped to .guest-editor where the new BringListEditor
introduced a duplicate "Hinzufügen" button label.
Six modules join the notes pilot (Phase 4) on the encrypted-at-rest path.
Every user-typed text and PII field listed below is now wrapped via
AES-GCM-256 with the per-user master key before any write hits Dexie,
and decrypted on every liveQuery read coming back through the public
queries module.
Tables flipped to enabled:true in the registry
- chat.messages messageText
- chat.conversations title
- chat.chatTemplates name + description + systemPrompt + initialQuestion
- dreams.dreams title + content + transcript + interpretation
+ aiInterpretation + location
- dreams.dreamSymbols meaning (name stays plaintext — used as
indexed lookup key in touchSymbols /
updateSymbol via where('name'))
- memoro.memos title + intro + transcript
- memoro.memories title + content
- contacts.contacts firstName + lastName + email + phone + mobile
+ birthday + street + city + postalCode
+ country + notes + website + linkedin
+ twitter + instagram + github
- cycles.cycles notes
- cycles.cycleDayLogs notes + mood (symptoms stays plaintext —
standardised label array
consumed by symptomsStore.touchSymptoms
via Set diffs in dayLogsStore.logDay)
- finance.transactions description + note (the schema uses
`note` singular,
not `notes` or `merchant`
as my earlier draft had it)
Tables intentionally left disabled
- questions / answers — direct db.table().update() call sites in
DetailView.svelte instead of going through a store. Need a store
extraction first; registry entry stays in place so the flip is a
one-line change once the store exists.
- tasks, events, calendar.events, plants, meals, slides, presiDecks,
cards, links, etc. — fall through to a future Phase 6 once the
chat/dreams/memoro/contacts pilots are validated in real use.
Per-module changes
Each store now follows the same pattern the notes pilot established:
1. Build the LocalRecord with plaintext fields
2. Snapshot it via toX() for the optimistic UI return value
3. await encryptRecord(tableName, record) // mutates in place
4. await table.add(record) // ciphertext lands on disk
For updates the diff is encrypted in place before the update() call
so partial updates only encrypt the modified fields.
The transcribeBlob flows in dreams + memoro decrypt the existing
record first (to read the user-typed `content`), then build a
diff and re-encrypt it. Same for contactsStore.ensureSelfContact
which compares against decrypted-existing values to decide whether
the profile-sync needs an update.
Per-module query changes
Each public liveQuery now filters on plaintext metadata (deletedAt,
isArchived, etc.) FIRST, then runs decryptRecords on the visible
set, then maps to the public type. Cost stays bounded by what the
view actually renders, not the total table size.
cross-app-queries.ts useFavoriteContacts decrypts firstName before
the localeCompare sort.
Test fixes
- aes.test.ts: the "registry returns null for disabled tables"
assertion now picks tasks + events as the disabled examples
(messages + contacts both flipped on in this commit).
- cycles.integration.test.ts:
1. beforeEach installs a fresh MemoryKeyProvider with a real
Web Crypto key so dayLogsStore.logDay can encrypt mood/notes
2. The "no duplicate" upsert test decrypts the raw rows it reads
directly from the table before asserting on the mood field
- module-registry.test.ts (drive-by, unrelated): adds eventItems
to the events appId snapshot to match the parallel module-registry
refactor.
Verified: 20 test files, 262/262 tests passing.
Phase 6 will roll out to the remaining tables (tasks, events, plants,
meals, slides, etc.) and finally light up the settings/security UI
(lock state, manual rotate, recovery code opt-in).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- strings.ts: add Italian, French, Spanish dictionaries (≈25 keys
each) and widen Lang to the full DE/EN/IT/FR/ES set.
- +page.server.ts: pickLang now matches any of the five supported
locales from Accept-Language; SSR error messages localised the
same way.
- e2e/helpers.ts: extract the dismissWelcomeModal helper out of
events.spec.ts so future module specs can reuse it without
duplicating the locale-agnostic dialog locator.
Add bun:test integration suite that exercises every public and host
endpoint plus the rate-bucket sweeper against a real Postgres. The
Hono app factory was extracted from index.ts into app.ts so tests can
build their own instance with a header-based auth mock instead of
spinning up mana-auth + JWKS.
Coverage:
- health route smoke
- public RSVP: snapshot fetch (incl. 404, cancelled, summary
privacy), submit, validation (name, status, email, plus-ones,
cancelled), upsert dedup (incl. null/missing email parity), summary
aggregation across yes/no/maybe + plus-ones, rate-limit cap (5/h),
absolute per-token cap (20)
- host events: publish (auth, idempotent token reuse, ownership),
snapshot update (partial, ownership, 404), delete (cascade FK to
rsvps + buckets, ownership, idempotent), get rsvps (ownership)
- sweeper: removes >2h-old buckets, keeps fresh ones, no-op on empty
Mock auth lives in a small helper that injects an X-Test-User header
into a fake middleware, so the same createApp() factory powers both
production (real jwtAuth) and tests (header mock).
First module with at-rest encryption flipped on. The notes table's
title + content are now encrypted with AES-GCM-256 before any write
hits Dexie, decrypted on every read coming back through liveQuery,
and travel as opaque ciphertext through the sync wire (pending
changes, server push, applyServerChanges, the lot).
What changes for the user
- Nothing visible. Optimistic UI render still uses the plaintext
snapshot returned by createNote(). Edits look identical to the
old Phase 3 behaviour. The difference is invisible until you
crack open DevTools → Application → IndexedDB → mana → notes,
where you'll see ciphertext instead of "Buy milk".
What changes on disk
- notes.title and notes.content store ciphertext blobs
(`enc:1:<iv-b64>.<ct-b64>`)
- All other columns (id, color, isPinned, isArchived, createdAt,
updatedAt, deletedAt, userId, __fieldTimestamps) stay plaintext
so liveQuery filtering, sorting, and Field-Level LWW continue to
work without changes.
- _pendingChanges.data carries the same ciphertext blobs — server
receives opaque values, never plaintext.
Files
registry.ts
notes flipped to enabled:true with the corrected field list
['title', 'content'] (the schema has no 'body' column).
aes.test.ts
Existing assertion that "Phase 1 has no encrypted tables" is
rewritten as "notes is enabled in Phase 4" so the registry flip
doesn't break the foundation suite.
record-helpers.ts
encryptRecord/decryptRecord/decryptRecords loosen the generic
constraint from `T extends Record<string, unknown>` to
`T extends object`. Domain types like LocalNote work as direct
arguments without an `as Record<string, unknown>` cast at every
call site. Internal field reads/writes go through a sealed
Record-shaped view.
notes/stores/notes.svelte.ts
createNote: snapshots the plaintext for the optimistic return
value, then encryptRecord('notes', record) before noteTable.add.
updateNote: encrypts the diff in place; non-encrypted fields
(color, isPinned, isArchived) pass through untouched.
togglePin / archiveNote / deleteNote: untouched — they only
update plaintext columns.
notes/queries.ts
useAllNotes: filter on plaintext metadata first (deletedAt,
isArchived) so the decrypt workload is bounded by the visible
set, not the whole table. Then decryptRecords across what's
left, then map+sort.
useNote(id): new helper for detail views.
notes-encryption.test.ts (new — 8 cases)
End-to-end against fake-indexeddb with a real Web Crypto master
key in MemoryKeyProvider:
1. Title + content land as ciphertext on disk
2. Structural fields stay plaintext on disk
3. updateNote re-encrypts modified content but leaves flags
4. togglePin / archiveNote produce byte-identical title blobs
(i.e. no spurious re-encryption)
5. _pendingChanges.data carries ciphertext + plaintext metadata
6. Wrong-key decrypt fails closed (returns blobs, not garbage)
7. Locked vault refuses new writes with VaultLockedError
8. Locked vault still serves blobs without crashing on read
Test bilanz: 4 crypto-related test files, 64/64 passing
(31 AES + 12 record-helpers + 12 vault-client + 8 notes E2E + 1 misc).
Full mana/web suite: 20 files, 262/262 tests passing.
Stand der encryption pipeline:
Phase 1 ✅ Foundation (1ba5948ce)
Phase 2 ✅ Server vault (e9915428c)
Phase 3 ✅ Wire-up (354cbcb17)
Phase 4 ✅ Notes pilot (this commit)
Phase 5 → roll out to chat, dreams, memoro, contacts, etc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Five small follow-ups on Phase 1b:
- docker-compose.macmini.yml: add the mana-events container with the
same shape as mana-credits, expose port 3065, add a Traefik route
for events.mana.how, and inject PUBLIC_MANA_EVENTS_URL into the
mana-web container so the SvelteKit SSR + browser both reach it.
- mana-events: background sweeper that deletes rsvp_rate_buckets
rows older than 2h every hour. Without it, long-published events
accumulate one row per traffic-hour forever (FK cascade only fires
on snapshot delete).
- PublicRsvpList: track consecutiveFailures and only show the error
banner after two failures in a row, so a single mid-poll network
hiccup doesn't flash a 30s error the user can't act on.
- apps/mana/apps/web: declare postgres as a devDep (already imported
by the e2e spec via pnpm hoisting, now explicit).
Adds the client-side wire-up that lets browsers fetch their master key
from the mana-auth server vault and use it to encrypt/decrypt configured
record fields. Still a no-op at the user-visible level until Phase 4
flips registry entries to enabled:true on a per-table basis.
vault-client.ts
Browser HTTP client for the three Phase 2 endpoints. Built around a
factory that takes (authUrl, getToken) and returns { unlock, lock,
refetch, rotate, getState }. Reuses the active MemoryKeyProvider if
one is already installed, otherwise registers a fresh one.
unlock() flow:
1. Short-circuits if already unlocked.
2. GET /api/v1/me/encryption-vault/key with Bearer token.
3. On 404 + code:'VAULT_NOT_INITIALISED', auto-fires POST /init so
the user is bootstrapped on first login per device.
4. Imports the returned base64 bytes via importMasterKey() into a
non-extractable CryptoKey, pushes it into MemoryKeyProvider.
5. Zeroes the raw byte buffer once imported (best-effort heap hygiene).
Network layer: 3-attempt retry loop with full-jitter exponential
backoff (500ms→8s), retries only on 0/408/429/5xx. 4xx surfaces
immediately so auth/permission errors don't stall the UI for seconds.
Error categorisation: 401/403→auth, network→network, 5xx→server,
rest→unknown. Returned as VaultUnlockState so callers can render
intent ("please re-login" vs "we're trying again" vs "the server
is having a moment").
record-helpers.ts
encryptRecord(tableName, record):
- Looks up the registry, returns unchanged if the table is not
configured or registry entry is disabled.
- Builds a work list of fields that need encryption (skipping
null/undefined and already-encrypted blobs — the latter makes
the helper idempotent on a re-emit from liveQuery).
- Throws VaultLockedError on the first call that needs the key
but finds the vault locked. Module stores let it bubble; the
UI surfaces "you need to unlock" toast.
decryptRecord(tableName, record):
- Mirror of encryptRecord. Locked-vault behaviour is to LEAVE the
blobs in place (rather than throw) so views can still render
structural fields and show a "🔒" placeholder where content
used to be.
- Per-field decrypt failure (corrupt blob, wrong key) is caught,
logged, and the field stays encrypted. The rest of the record
decrypts normally — one bad blob doesn't kill the whole read.
decryptRecords: array variant that skips null/undefined entries.
Layout integration (+layout.svelte)
- createVaultClient is constructed once at module init, reused
across all auth-state changes.
- The existing $effect on authStore.user gets a new branch:
- userId set + hasAnyEncryption() → vaultClient.unlock()
- userId cleared → vaultClient.lock()
- hasAnyEncryption() guards the network round-trip: while every
table is enabled:false (Phase 3 default), no fetch happens at all.
Phase 4 enables tables one by one and the unlock kicks in
automatically.
Tests
- record-helpers.test.ts: 12 cases — encrypt skips non-listed fields,
null/undefined pass-through, idempotent on already-encrypted,
table-not-in-registry no-op, VaultLockedError on missing key,
decrypt roundtrip, locked-vault returns blobs unchanged, per-field
failure logged + others continue, JSON.stringify/parse roundtrip
survives the sync wire.
- vault-client.test.ts: 12 cases — happy path GET /key, idempotent
second unlock, 404 → auto /init, generic 404 does NOT trigger
/init, 401/403 → auth error, fetch throw → network error, no
token → auth error without network call, lock() clears key,
refetch() re-pulls, rotate() POSTs and installs.
Verified: 7 test files, 110/110 src/lib/data/ tests passing
(31 AES + 12 record-helpers + 12 vault-client + 20 sync + 6 activity
+ 19 recurrence + 10 misc helpers).
Phase 4 (next): pilot the notes module — flip its registry entry to
enabled:true, wrap the notes store add/update to call encryptRecord,
wrap the notes queries to call decryptRecord, add a settings page
showing lock state and a manual rotate button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds end-to-end browser voice capture for the Memoro module, mirroring the
existing dreams pattern: MediaRecorder → SvelteKit server proxy → mana-stt
on the Windows GPU box via Cloudflare tunnel.
Recording UI lives in /memoro page header (mic button + live timer + cancel +
sticky-permission retry). Server proxy at /api/v1/memoro/transcribe forwards
the blob with the server-held X-API-Key. memosStore.createFromVoice creates a
placeholder memo with processingStatus='processing' and fires transcribeBlob
in the background, which writes the transcript and flips status on completion
(or 'failed' with error in metadata).
Also corrects the mana-stt hostname across the repo: stt-api.mana.how (which
never existed in DNS) → gpu-stt.mana.how (the actual Cloudflare tunnel route
to the Windows GPU box). Adds an ENVIRONMENT_VARIABLES.md section explaining
how to obtain MANA_STT_API_KEY and where the tunnel terminates. Adds tunnel
health probes to the mac-mini health-check script so we catch tunnel-side
breakage in addition to LAN-side.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Consolidates all the "could still do" ideas from the initial design
sessions into a single roadmap document next to the module:
- Short-term quality-of-life polish (keyboard shortcuts, date picker,
orphan symptom IDs, plural forms)
- Mid-term features (BBT chart, history page, pattern recognition,
cycle notes panel, per-day detail page)
- Testing gaps (component tests, Playwright E2E, migration tests)
- Long-term production-readiness (notifications, memoro audio notes,
PDF export, privacy mode with app-lock, mobile port)
- Initial ManaScore estimate and ecosystem health indicators
- Explicit non-goals and a recommended next-steps ordering
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds the server side of the per-user encryption vault. Phase 1 shipped
the client foundation (no-op while every table is enabled:false). This
commit lets the client actually fetch a master key when Phase 3 flips
the registry switches.
Schema (Drizzle + raw SQL migration)
- auth.encryption_vaults: per-user wrapped MK + IV + format version +
kek_id stamp + created/rotated timestamps. PK = user_id, ON DELETE
CASCADE so account deletion wipes the vault.
- auth.encryption_vault_audit: append-only trail of init/fetch/rotate
actions with IP, user-agent, HTTP status, free-form context.
- sql/002_encryption_vaults.sql: idempotent CREATE TABLE + ENABLE +
FORCE row-level security with a `current_setting('app.current_user_id')`
policy on both tables. FORCE makes the policy apply to the table
owner too — no bypass via grants.
KEK loader (services/encryption-vault/kek.ts)
- Loads a 32-byte AES-256 KEK from the MANA_AUTH_KEK env var (base64).
- Production: missing or wrong-length input is fatal at boot.
- Development: 32-zero-byte fallback so contributors can run the
service without provisioning a secret. Logs a loud warning.
- wrapMasterKey / unwrapMasterKey use Web Crypto AES-GCM-256 over the
raw 32-byte MK with a fresh 12-byte IV per wrap. Returns base64
pair for storage.
- generateMasterKey + activeKekId helpers used by the service.
- Future migration to KMS / Vault: only loadKek() changes; the
kek_id stamp on each row tracks which KEK produced it.
EncryptionVaultService (services/encryption-vault/index.ts)
- init(userId): idempotent — returns existing MK or mints a new one.
- getMasterKey(userId): unwraps the stored MK; throws VaultNotFoundError
on no-row so the route can return 404 cleanly.
- rotate(userId): mints fresh MK, replaces wrap. Caller is on the
hook for re-encryption — destructive by design.
- withUserScope(userId, fn): wraps every read/write in a Drizzle
transaction with set_config('app.current_user_id', userId, true)
so the RLS policy admits only the matching row. Empty userId is
rejected up-front.
- writeAudit() appends a row to encryption_vault_audit on every
action including failures, so probing attempts leave a trail.
Routes (routes/encryption-vault.ts)
- POST /api/v1/me/encryption-vault/init — idempotent bootstrap
- GET /api/v1/me/encryption-vault/key — fetch the active MK
- POST /api/v1/me/encryption-vault/rotate — destructive rotation
- All return base64-encoded master key bytes plus formatVersion +
kekId. JWT-protected via the existing /api/v1/me/* middleware.
- readAuditContext() pulls X-Forwarded-For + User-Agent off the
request for the audit row.
Bootstrap (index.ts)
- loadKek() runs at top-level await before any route can fire so a
misconfigured KEK fails closed at boot, never at request time.
- encryptionVaultService is mounted under /api/v1/me/encryption-vault
so it inherits the existing JWT middleware and shows up next to the
GDPR self-service endpoints.
Tests (services/encryption-vault/kek.test.ts)
- 11 Bun-test cases covering: KEK load (happy path, wrong length,
idempotent, before-load guard), generateMasterKey randomness,
wrap/unwrap roundtrip, IV uniqueness across repeated wraps,
wrong-MK-length rejection, tampered-ciphertext rejection,
wrong-length IV rejection, wrong-KEK rejection.
- Service-level integration tests deferred — they need a real
Postgres for the RLS behaviour, set up via existing mana-sync
test pattern in CI.
Config + env
- .env.development gains MANA_AUTH_KEK= (empty → dev fallback)
with a comment explaining the production requirement.
- services/mana-auth/package.json gains "test": "bun test".
Verified: 11/11 KEK tests passing, 31/31 Phase 1 client tests still
passing, only pre-existing TS errors remain in mana-auth (auth.ts:281
forgetPassword + api-keys.ts:50 insert overload — both unrelated).
Phase 3: client wires the MemoryKeyProvider to GET /encryption-vault/key
on login, flips registry entries to enabled:true table by table, and
extends the Dexie hooks to call wrapValue/unwrapValue on configured
fields.
Phase 4: settings UI for lock state, key rotation, recovery code opt-in.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restore the events Playwright suite (lost in a rebase) and harden it
against Vite cold-start HMR flakes. Six tests cover the local-first
host flow (create, edit guests, RSVP totals, delete) and the public
RSVP page (snapshot render, submit, upsert, 404). The host flow runs
in guest mode and dismisses the welcome modal via a small helper.
playwright.config.ts boots mana-auth, the Vite dev server, and
mana-events as separate webServers with reuseExistingServer=true so
running tests against an already-up dev environment is a no-op. Bumps
the per-test timeout to 60s and the expect timeout to 10s, and tells
goto() to wait for networkidle so locator clicks don't race a Vite
recompile.
Replace the English-copy stubs in it.json, fr.json, and es.json with
actual Italian, French, and Spanish translations covering the full
cycles namespace — phase labels, flow/mood levels, section headers,
actions, placeholders, stats, relative dates, symptom manager, and
the calendar.
Key structure remains identical across all 5 locales so the parity
test still passes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded 'de-DE' toLocaleDateString calls across ListView,
CyclesWidget, and pure helpers with the active svelte-i18n locale.
Pure helpers in queries.ts now take their locale (and for relative
dates, their labels) as parameters so they stay pure and testable:
- formatLogDate(iso, labels, dateLocale)
- groupLogsByMonth(logs, dateLocale)
- New RelativeDateLabels type, exported from the module barrel
ListView builds relativeLabels from $_ and threads dateLocale through;
CyclesWidget does the same using a tiny $locale-derived helper.
New i18n keys cycles.relativeDate.{today,yesterday,daysAgo} across
all five locales (real de/en translations, stubs for it/fr/es).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Lays the groundwork for selective field-level encryption-at-rest in the
data layer. Phase 1 ships ONLY the building blocks; nothing is actually
encrypted yet (every registry entry has enabled:false), so this commit
is a no-op for app behaviour and safe to merge.
New module: src/lib/data/crypto/
aes.ts — pure Web Crypto AES-GCM-256 wrap/unwrap
- wrapValue / unwrapValue with format-versioned envelope
`enc:1:<base64-iv>.<base64-ct>` — one-scan detection, survives
JSON.stringify on the sync wire, ~1.4× original byte length.
- JSON-stringifies the input so any value type works (string, number,
object, array). null/undefined pass through unchanged so optional
fields don't need a guard at every call site.
- Authenticated encryption: tampered ciphertext throws on decrypt.
- generateMasterKey / importMasterKey / exportMasterKey for the
Phase 2 server-side vault flow.
- toBufferSource() helper works around the TS 5.7 Uint8Array generic
parameterisation that broke the WebCrypto BufferSource overloads.
key-provider.ts — pluggable master-key source
- KeyProvider interface (getKey, isUnlocked, onChange).
- NullKeyProvider (default): always-locked, encryption call sites
silently skip. Safe for the rollout window where individual tables
are still flipping enabled:true.
- MemoryKeyProvider: holds a CryptoKey in process memory only,
notifies subscribers on lock/unlock transitions, sets a sentinel
in sessionStorage so the UI can detect the unlock state on hard
reload before the vault fetch completes.
- setKeyProvider / getKeyProvider / getActiveKey / isVaultUnlocked
are the boundary the rest of the data layer calls — no direct
references to the concrete provider.
registry.ts — strict per-table allowlist
- 30 tables registered, all enabled:false in Phase 1.
- Field selection rule: encrypt user-typed text, transcripts, PII,
free-form notes; leave IDs, timestamps, status flags, foreign
keys, sort keys plaintext so the query/index/sync layer keeps
working unchanged.
- getEncryptedFields(table) returns null for the common (disabled)
case so the Dexie hook hot-path stays allocation-free.
- hasAnyEncryption() lets the boot path skip the vault fetch
entirely while everything is still disabled.
index.ts — barrel export so consumers don't reach into sub-files.
aes.test.ts — 31 tests covering:
- isEncrypted detection (string prefix, non-strings, wrong version)
- wrap/unwrap roundtrip for string, empty string, unicode, object,
array, number, boolean, 10KB blob, null, undefined, plaintext
pass-through, null/undefined unwrap pass-through
- IV uniqueness across repeated wraps of the same plaintext
- Wrong-key rejection
- Tampered-ciphertext rejection (auth tag mismatch)
- Malformed-blob handling (missing iv/ct separator)
- importMasterKey / exportMasterKey raw byte roundtrip
- importMasterKey rejects non-32-byte input
- KeyProvider lifecycle: NullKeyProvider default, MemoryKeyProvider
set/get, listener fires only on transitions, dispose unsubscribes
- Registry: returns null for unregistered/disabled tables, every
entry has non-empty + duplicate-free fields list, hasAnyEncryption
returns false in Phase 1
All tests pass against Node 20 native Web Crypto. No fake-indexeddb
needed — the foundation is pure functions over crypto.subtle.
Verified: 31/31 new tests + 291/291 full mana/web suite passing.
Phase 2: mana-auth server-side vault (encryption_vaults table, KEK
loading, GET /me/encryption-key endpoint).
Phase 3: wire MemoryKeyProvider to the vault fetch on login, flip
registry entries to enabled:true table by table, extend Dexie hooks
to call wrapValue/unwrapValue on configured fields.
Phase 4: settings UI (lock state, key rotation, recovery code opt-in).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a CyclesWidget that appears on the unified dashboard. Shows the
current phase as a colored badge, the cycle day, a big-number
countdown to the next period, and the predicted next-period date.
Clickable — links to /cycles.
- New CyclesWidget.svelte under modules/core/widgets using liveQuery
against the cycles table
- Registered via WIDGET_REGISTRY + widgetComponents map
- WidgetType union + requiredBackend union both extended
- Existing dashboard.test.ts whitelist updated for the new backend
- i18n keys dashboard.widgets.cycles.{title,description,empty,open}
added across all 5 locales
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Loads de/en/it/fr/es cycles locale files and asserts their flattened
key paths are identical. Catches stub copies drifting silently when
new keys are added to de/en and forgotten in the others.
Also asserts every leaf value is a non-empty string so a missing
translation can't masquerade as null or an empty string.
Uses 'de' as the reference and renames vitest's 'it' to 'test' to
avoid shadowing the 'it.json' import.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a CycleCalendar component above the edit sections in the
workbench ListView. Shows a 7×6 month grid with each day colored by
its derived phase, small flow markers on days with bleeding, the
current day outlined, and the edit target highlighted with a ring.
- Prev/next month buttons and a clickable header to jump back to
the current month
- Monday-first week, weekday labels localized via locale store
- Clicking any day switches editingDate so the flow/mood/symptom
controls below update that day directly
- Collapsible via a +/− toggle in the section header
- i18n keys for calendar.title/prev/next; de + en translated,
it/fr/es mirrored from en
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add an ON DELETE CASCADE FK from rsvp_rate_buckets.token to
events_published.token. Without it, deleting a snapshot left orphaned
rate-limit rows behind, slowly leaking storage. Verified with a
direct SQL cascade test.
Add a modal to create, rename, recolor, and delete custom symptoms
without leaving the workbench view. Opens from a small "Verwalten"
button next to the Symptoms section header.
- New SymptomManager.svelte component wired to symptomsStore
- Inline edit mode with name + category select
- Delete with confirm (shows current name)
- i18n keys for manager strings + symptomCategory labels, de/en
translated, it/fr/es mirrored from en
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
24 tests covering the complex store interactions that pure-function
tests cannot reach:
- cyclesStore.createCycle auto-closes the previous open cycle and
computes length, but leaves future cycles untouched when backfilling
- cyclesStore.setPeriodEnd separates "end of bleeding" from endDate
- dayLogsStore.logDay upserts per date (no duplicates even across
multiple partial updates)
- Auto-start cycle fires on bleeding flow with no history or after a
closed cycle >= 10 days old, but NOT for spotting or mid-cycle bleeds
- Auto-end period sets periodEndDate after 2 dry days, does not
re-trigger on already-ended cycles
- Symptom reference counters adjust correctly when a log is created,
updated (adds/removes symptoms), and deleted
- autoAssignCycle retroactively attaches orphan logs to a newly
created cycle
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous "click the lock icon" advice is wrong on macOS, where
"sticky deny" usually originates from the system-level Privacy &
Security setting, not a per-site browser setting. There is no lock
icon to click and the user has no obvious next step.
Now:
- The denied message detects macOS/iOS via navigator.platform and
walks through the actual fix path: System Settings → Privacy &
Security → Microphone → enable browser → fully quit and restart it
(Cmd+Q, not just close the tab — the permission only re-reads on
cold start). Also points to chrome://settings/content/microphone
as the second-most-likely culprit
- Non-mac path lists the same two causes in the right order
- Recorder.start now accepts { force: true } that bypasses the
Permissions API pre-check and actually calls getUserMedia, so the
raw browser error (NotAllowedError, SecurityError, etc) surfaces.
Useful when the Permissions API is wrong or stale
- ListView shows a "Trotzdem versuchen" button next to the error
text. Clicking it routes through the force path
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The voice capture used to surface a generic "Mikrofon-Zugriff
verweigert" whenever getUserMedia rejected, even though the actual
cause was usually one of three distinct, fixable conditions:
- Insecure context (http://192.168.x.x:5173 instead of localhost or
https) — getUserMedia is silently unavailable, no prompt
- Sticky deny — user previously refused once, browser remembers and
rejects without ever asking again
- Hardware: no microphone, busy mic, security policy
Now the recorder:
1. Checks window.isSecureContext first and tells the user to switch
to https or localhost, naming the offending host
2. Queries the Permissions API for "microphone" before calling
getUserMedia. If state is "denied", shows step-by-step recovery
instructions (lock icon → mic → allow → reload) instead of pretending
the user actively denied just now
3. Maps NotAllowedError / NotFoundError / NotReadableError /
SecurityError to specific German messages, with the raw error as a
fallback so the rest is still debuggable
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two adjustments after end-to-end testing the voice flow against the
self-hosted mana-stt on the GPU server:
- Browser MediaRecorder always sets a clean audio/* mime type, but
CLI clients (curl, scripts) often send application/octet-stream
for audio files. Empty mime types should also pass through. Tighten
rejection to clearly non-audio types only.
- await request.formData() throws on a missing/invalid body which
surfaces as a SvelteKit 500 with "Internal Error". Catch it and
return a 400 with a useful message instead.
Verified end-to-end with WhisperX large-v3-turbo: m4a (Anna voice)
transcribed in ~2.4s through the proxy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move all hardcoded German strings in the cycles ListView to per-module
translation files under lib/i18n/locales/cycles/. German and English
are fully translated; it/fr/es are stub copies of en.json for now.
Registers the cycles namespace in lib/i18n/index.ts alongside the other
modules. Phase labels, flow labels, mood labels, section headers,
buttons, placeholders, and the delete-confirmation message all flow
through $_('cycles.*').
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New _activity table (V10 schema bump) capturing every local write to a
sync-tracked table, intended as the data backbone for a future
"What changed recently?" UI and per-record history view.
Schema is deliberately tiny — no field diffs, no payloads — so the
disk footprint stays bounded:
++id, createdAt, appId, collection, recordId, op, userId
plus compound indexes [appId+createdAt] and [collection+recordId] for
the per-app feed and per-record history paths.
Population
database.ts trackActivity() helper is called from the same Dexie
creating/updating hooks that already drive _pendingChanges. Lives
next to trackPendingChange to share the db reference and avoid an
import cycle with activity.ts. Server-applied changes are skipped
(the apply lock guards both writers) so the feed reflects local
user intent rather than sync echo. Soft deletes (deletedAt set on
an update) are recorded as op:'delete'.
Read API (activity.ts)
- getRecentActivity({ appId?, collection?, recordId?, limit? })
walks the appropriate compound index in reverse and short-
circuits on the limit, so cost is O(limit) regardless of total
log size. Always scoped to the active user via getEffectiveUserId.
- pruneActivityLog() drops entries >90d old + caps the table at
ACTIVITY_MAX_ENTRIES (10k) by FIFO.
Scheduling
data-layer-listeners.ts now runs pruneActivityLog alongside the
existing tombstone cleanup (boot + 24h interval), with a separate
Sentry tag so failures of one job don't mask the other.
Tests
6 new tests in activity.test.ts cover insert / update / delete
hook propagation, appId filter, multi-user isolation, the limit
option, and TTL pruning. All pass against fake-indexeddb.
Drive-by
vite.config.ts gains a `test.exclude` for `e2e/**` so the new
Playwright specs the events module shipped don't crash vitest with
`test.afterAll() not expected here`. Two pre-existing failures
unrelated to this audit are now also out of the way.
Verified: 22/22 test files, 220/220 tests passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two improvements to the SSE event loop in connectSSE:
1. Read/apply pipelining
The previous loop did read → parse → await applyServerChanges →
read. A slow apply blocked the network reader, so each event
incurred the latency of the previous event's IndexedDB write
before the next chunk could even start streaming in.
Now apply work is enqueued onto a sequential promise chain
(applyChain) and the read loop returns to draining the network
immediately. LWW correctness still requires in-order application,
so the chain serialises applies — the win is just decoupling I/O
from disk work, not parallelism. The chain is awaited once at the
end so the SSE state never resumes from a cursor that hasn't been
written.
2. Allocation-light parser
indexOf/slice replaces split('\n\n') and split('\n'). The previous
parser allocated a fresh array of strings on every chunk; the new
one walks the rolling buffer in place and only materialises the
one event block currently being inspected. Same complexity, less
GC pressure on busy streams.
Drive-by: tightens the JSON.parse error handling to skip malformed
events explicitly instead of swallowing them inside an outer try.
Verified: 20/20 sync.test.ts still passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Click any row in the recent-entries list to switch the editing target
to that day. The flow/mood/symptom/temperature/notes controls then
update that past entry instead of today, with a pink banner showing
which day is being edited and offering 'back to today' and 'delete'
buttons. Confirmation dialog prevents accidental deletes.
Implementation: editingDate signal drives all logDay() calls and a
derived editingLog from useAllDayLogs() avoids creating per-date
queries. The dayLogsStore.deleteLog() soft-deletes via deletedAt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Schema bump V9 adds an updatedAt secondary index to the six tables
that the cross-app dashboard widgets use for "recent N" lookups:
conversations, images, presiDecks, documents, songs, mukkePlaylists.
Dexie builds the index lazily on first open — no migration code,
no data touched.
Recent-query refactor:
useRecentConversations
useRecentImages
useRecentDecks
useRecentDocuments
All four switched from `toArray() + JS sort + slice` to
`orderBy('updatedAt').reverse().filter().limit()`. Dexie walks the
BTree backwards and short-circuits as soon as `limit` matches
accumulate, so the cost is O(limit + filtered) instead of O(table).
For a dashboard with thousands of stored conversations or images,
the dashboard widget previously read every record on every render
(liveQuery re-runs on any write). Now it stops after 5–6 hits.
Verified: 20/20 sync.test.ts still passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When the user logs a bleeding flow (light/medium/heavy) and the previous
cycle ended at least 10 days ago (or no cycle exists), automatically
create a new cycle. When the user logs 'none' for at least 2 consecutive
days after the last bleeding day in an open cycle, automatically set
periodEndDate to that last bleeding day.
Heuristics live in utils/auto-detect.ts as pure functions and are wired
into dayLogsStore.logDay. Conservative thresholds avoid false positives
for mid-cycle spotting and partial bleeding patterns. 18 unit tests
cover the edge cases.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. database.ts — defer pending-change writes out of the user transaction.
`taskTable.add()` opens an implicit Dexie transaction scoped only to
`tasks`. The creating-hook then tried to write to `_pendingChanges`,
which is not in scope, throwing `NotFoundError: object store not in
scope` and breaking every create across todo/calendar/contacts/etc.
`queueMicrotask` is not enough — Dexie binds the active transaction
to the current zone via Promise scheduling and treats microtasks as
"still inside". `setTimeout(0)` breaks out cleanly so the deferred
add() spawns its own implicit transaction.
2. workbench/AppPage.svelte — guard ListView reload by appId.
The list-loader $effect read `app` (a $derived of getApp(appId)) and
on every reactive churn cleared `ListComponent = null`, making the
whole carousel flash a spinner. After a task create, liveQuery churn
propagated up enough to retrigger this effect, which looked exactly
like a full page reload to the user. Now we only reload when appId
itself changes, with a stale-load guard for out-of-order awaits.
3. zitare/ListView.svelte — pull `quotesStore.initialize()` out of $effect.
The effect called initialize() (which writes `currentQuote` $state)
and then read `currentQuote` back, creating a classic write-then-read
loop that hit `effect_update_depth_exceeded`. Initialize now runs in
onMount; the effect is read-only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
base-client.test.ts
Source had been localised to German (Sitzung abgelaufen,
Keine Berechtigung, Server-Fehler (500)) but the test still
asserted on the old English strings. Updates the assertions
to the German substrings so a future copy tweak doesn't
break them again.
dashboard.test.ts
Widget registry has grown from 16 to 22 entries and the
required-backend list now includes nutriphi and planta. The
hard count assertion is replaced with a >=16 floor so adding
widgets no longer requires updating the test on every PR.
content/help/index.test.ts
getManaHelpContent() routes through svelte-i18n's t() helper.
In the test env the i18n store was uninitialised, so the
helper returned bare key strings and the .split(',') on a
missing tags entry threw. Adds a beforeAll that registers
the help dictionary for both de and en and awaits waitLocale
so the helper resolves real values.
Verified: 196/196 tests across 20 files now passing
(was 154/163 before this commit).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds a one-tap voice recorder at the top of the Dreams module. Speak
your dream right after waking, the audio is sent through a server-side
proxy to mana-stt, and the transcript appears in the entry as soon as
it lands.
- New /api/v1/dreams/transcribe SvelteKit server route proxies the
upload to mana-stt with the server-held MANA_STT_API_KEY (never
exposed to the browser); validates mime, size, missing config
- Adds MANA_STT_URL + MANA_STT_API_KEY to the mana-web env config in
generate-env.mjs (private, not PUBLIC_ prefixed)
- New DreamRecorder class wraps MediaRecorder with reactive
$state — status, elapsed timer, error; supports cancel
- dreamsStore.createFromVoice creates a placeholder dream with
processingStatus='transcribing' and kicks off the upload
- dreamsStore.transcribeBlob uploads, writes the result back into
the dream, falls back to processingStatus='failed' on errors
- Adds processingStatus + processingError + audioDurationMs to
LocalDream; backwards-compatible defaults in toDream
- Mic button in ListView with idle / requesting / recording
(with elapsed timer + pulsing red) / stopping states
- Cancel button discards the in-flight recording
- Transcribing badge ●●● + failed ! badge on dream rows
- Inline editor shows live transcription status; while it's running
and the user hasn't typed anything, the transcript folds into the
edit buffer as soon as it arrives
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- PublicRsvpList: collapse onMount/onDestroy/$effect into a single
$effect with proper cleanup; eliminates the redundant interval init
paths and the dead else-branch
- DetailView: re-push the snapshot to mana-events when a published
event is opened, so any earlier fire-and-forget that lost a write
silently self-heals
- New _eventsTombstones queue (db version 8): when unpublish/delete
fails to remove the server snapshot, queue (eventId, token) for
retry; ListView drains the queue on mount with capped attempts
- Public /rsvp/[token]: detect Accept-Language in +page.server.ts,
pass lang to the page, and use a small inline DE/EN dict in
strings.ts — no svelte-i18n on the public route
New unified-app module under apps/mana/apps/web/src/lib/modules/cycles.
Adds three Dexie tables (cycles, cycleDayLogs, cycleSymptoms) in db v7,
SYNC_APP_MAP entry, app-registry registration, branding (icon + entry +
APP_URLS), and a /cycles route.
Includes phase derivation (menstruation/follicular/ovulation/luteal),
heuristic next-period and fertile-window prediction (rolling mean over
last 6 cycles), 10 default symptoms, and 33 unit tests covering the
pure utilities.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New data-layer-listeners.ts wires the fire-and-forget CustomEvents the
sync engine and quota helpers emit into the rest of the app:
- mana:storage-quota-exceeded
→ toast.info / .warning / .error depending on whether the recovery
cleanup succeeded, and a Sentry capture for the failure cases.
- mana:sync-telemetry
→ push:error / pull:error are routed to captureException with the
error category as a tag. Auth and network errors are downgraded to
console.warn so they don't drown Sentry in expected token blips.
→ apply:malformed-drop becomes a captureMessage warning.
→ success events log to console.debug only when import.meta.env.DEV.
- Tombstone cleanup loop
→ cleanupTombstones() runs once on idle after boot, then every 24h.
Errors caught locally and reported via captureException with a
'tombstone-cleanup' tag. Soft-deleted rows older than 30 days are
hard-purged so the IndexedDB doesn't grow unbounded.
Wired into the root layout's onMount: installDataLayerListeners()
returns a dispose function that removes both window listeners and
clears the cleanup interval.
Closes the audit's "no telemetry" + "no quota handling" + "tombstone
cleanup helper exists but unused" trio in one shot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
