mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-17 03:39:40 +02:00
Mirror of github.com/Memo-2023/mana-monorepo
1ba5948ce5
Lays the groundwork for selective field-level encryption-at-rest in the
data layer. Phase 1 ships ONLY the building blocks; nothing is actually
encrypted yet (every registry entry has enabled:false), so this commit
is a no-op for app behaviour and safe to merge.
New module: src/lib/data/crypto/
aes.ts — pure Web Crypto AES-GCM-256 wrap/unwrap
- wrapValue / unwrapValue with format-versioned envelope
`enc:1:<base64-iv>.<base64-ct>` — one-scan detection, survives
JSON.stringify on the sync wire, ~1.4× original byte length.
- JSON-stringifies the input so any value type works (string, number,
object, array). null/undefined pass through unchanged so optional
fields don't need a guard at every call site.
- Authenticated encryption: tampered ciphertext throws on decrypt.
- generateMasterKey / importMasterKey / exportMasterKey for the
Phase 2 server-side vault flow.
- toBufferSource() helper works around the TS 5.7 Uint8Array generic
parameterisation that broke the WebCrypto BufferSource overloads.
key-provider.ts — pluggable master-key source
- KeyProvider interface (getKey, isUnlocked, onChange).
- NullKeyProvider (default): always-locked, encryption call sites
silently skip. Safe for the rollout window where individual tables
are still flipping enabled:true.
- MemoryKeyProvider: holds a CryptoKey in process memory only,
notifies subscribers on lock/unlock transitions, sets a sentinel
in sessionStorage so the UI can detect the unlock state on hard
reload before the vault fetch completes.
- setKeyProvider / getKeyProvider / getActiveKey / isVaultUnlocked
are the boundary the rest of the data layer calls — no direct
references to the concrete provider.
registry.ts — strict per-table allowlist
- 30 tables registered, all enabled:false in Phase 1.
- Field selection rule: encrypt user-typed text, transcripts, PII,
free-form notes; leave IDs, timestamps, status flags, foreign
keys, sort keys plaintext so the query/index/sync layer keeps
working unchanged.
- getEncryptedFields(table) returns null for the common (disabled)
case so the Dexie hook hot-path stays allocation-free.
- hasAnyEncryption() lets the boot path skip the vault fetch
entirely while everything is still disabled.
index.ts — barrel export so consumers don't reach into sub-files.
aes.test.ts — 31 tests covering:
- isEncrypted detection (string prefix, non-strings, wrong version)
- wrap/unwrap roundtrip for string, empty string, unicode, object,
array, number, boolean, 10KB blob, null, undefined, plaintext
pass-through, null/undefined unwrap pass-through
- IV uniqueness across repeated wraps of the same plaintext
- Wrong-key rejection
- Tampered-ciphertext rejection (auth tag mismatch)
- Malformed-blob handling (missing iv/ct separator)
- importMasterKey / exportMasterKey raw byte roundtrip
- importMasterKey rejects non-32-byte input
- KeyProvider lifecycle: NullKeyProvider default, MemoryKeyProvider
set/get, listener fires only on transitions, dispose unsubscribes
- Registry: returns null for unregistered/disabled tables, every
entry has non-empty + duplicate-free fields list, hasAnyEncryption
returns false in Phase 1
All tests pass against Node 20 native Web Crypto. No fake-indexeddb
needed — the foundation is pure functions over crypto.subtle.
Verified: 31/31 new tests + 291/291 full mana/web suite passing.
Phase 2: mana-auth server-side vault (encryption_vaults table, KEK
loading, GET /me/encryption-key endpoint).
Phase 3: wire MemoryKeyProvider to the vault fetch on login, flip
registry entries to enabled:true table by table, extend Dexie hooks
to call wrapValue/unwrapValue on configured fields.
Phase 4: settings UI (lock state, key rotation, recovery code opt-in).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .changeset | ||
| .claude | ||
| .github | ||
| .husky | ||
| apps | ||
| docker | ||
| docs | ||
| games | ||
| load-tests | ||
| NewAppIdeas/Roblox Reimagined | ||
| packages | ||
| patches | ||
| scripts | ||
| services | ||
| tests/e2e | ||
| .dockerignore | ||
| .editorconfig | ||
| .env.development | ||
| .env.macmini.example | ||
| .gitignore | ||
| .npmrc | ||
| .nvmrc | ||
| .prettierignore | ||
| .prettierrc.json | ||
| CLAUDE.md | ||
| cloudflared-config.yml | ||
| docker-compose.dev.yml | ||
| docker-compose.macmini.yml | ||
| eslint.config.mjs | ||
| gift-codes-2026-02-14.txt | ||
| lint-staged.config.js | ||
| mac-mini-setup.sh | ||
| package.json | ||
| playwright.config.ts | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
| test-chat-auth.sh | ||
| TROUBLESHOOTING.md | ||
| turbo.json | ||
| vitest.config.ts | ||
Mana Monorepo
Monorepo containing all Mana projects — a self-hosted multi-app ecosystem with shared packages and unified tooling.
Projects
| Project | Description | Apps |
|---|---|---|
| mana | Multi-app ecosystem platform | Expo mobile, SvelteKit web |
| chat | AI chat application | NestJS backend, Expo mobile, SvelteKit web, Astro landing |
| todo | Task management | NestJS backend, SvelteKit web, Astro landing |
| calendar | Calendar & scheduling | NestJS backend, SvelteKit web, Astro landing |
| clock | Pomodoro & time tracking | NestJS backend, SvelteKit web, Astro landing |
| contacts | Contact management | NestJS backend, SvelteKit web |
| picture | AI image generation | NestJS backend, Expo mobile, SvelteKit web, Astro landing |
| cards | Card/deck management | NestJS backend, Expo mobile, SvelteKit web |
| zitare | Daily inspiration quotes | NestJS backend, Expo mobile, SvelteKit web, Astro landing |
| mukke | Music player | NestJS backend, SvelteKit web |
| planta | Plant care tracker | NestJS backend, SvelteKit web |
| storage | Cloud storage | NestJS backend, SvelteKit web |
| questions | Q&A with web search | SvelteKit web |
| skilltree | Skill tree visualization | NestJS backend, SvelteKit web |
| nutriphi | Nutrition tracking | NestJS backend, SvelteKit web |
| citycorners | City guide | NestJS backend, SvelteKit web, Astro landing |
| presi | Presentation tool | NestJS backend, SvelteKit web |
| photos | Photo management | NestJS backend, SvelteKit web |
Getting Started
Prerequisites
- Node.js 20+
- pnpm 9.15.0+
- Docker (for PostgreSQL, Redis, MinIO)
Installation
pnpm install
Development
# Start infrastructure (PostgreSQL, Redis, MinIO)
pnpm docker:up
# Start any app with auto DB setup
pnpm dev:chat:full
pnpm dev:todo:full
pnpm dev:calendar:full
pnpm dev:contacts:full
# Build & quality
pnpm run build
pnpm run type-check
pnpm run format
See CLAUDE.md for comprehensive development documentation.
Architecture
mana-monorepo/
├── apps/ # Product applications
├── services/ # Microservices (auth, search, LLM, bots)
├── packages/ # Shared packages
├── docker/ # Docker configuration
└── scripts/ # Development & deployment scripts
Tooling
- Package Manager: pnpm 9.15.0
- Build System: Turborepo
- Formatting: Prettier (tabs, single quotes, 100 char width)
- Hosting: Mac Mini (self-hosted) via Docker + Cloudflare Tunnel
- Analytics: Umami (stats.mana.how)
License
Private - All rights reserved