Updates DATA_LAYER_AUDIT.md to reflect everything that landed since
the last refresh (which stopped at Sprint 4). The doc is now the
authoritative status surface for both audit-sprint and encryption-
sprint progress.
What's new in the doc:
Status table (Section 0)
Adds the missing post-Sprint 4 work and the full encryption phase
table:
- Sprint 4+ Listeners (575c5c36f)
- Test-Fix sprint (ae648650e)
- Backlog 1/2/3 — Indexed queries V9, SSE pipeline, Activity log
- Encryption phases 1-6 with commits
The "tests passing" line bumps to 262/262 across 20 files.
Architecture diagram (Section 1)
Shows how a write now flows through encryptRecord BEFORE the
Dexie hook, and how reads route through decryptRecords on the
way out of liveQuery. Adds a second diagram for the Encryption
Pipeline (login → vault unlock → MemoryKeyProvider → wrap/
unwrap → IndexedDB) that wasn't documented anywhere before.
File map (Section 1)
Splits into "Datenschicht" and "Encryption" sub-tables. The
encryption table lists all 17 new files across crypto/, mana-auth
services, the settings page and the onboarding banner with a
one-line purpose for each.
Eckdaten
Schema versions 1-10 (was 1-7), and the new "At-Rest-Encryption"
bullet noting 22+ tables.
Critical fixes table (Section 2 🔴)
#4 "Keine Verschlüsselung im Browser" flips from "noch offen" to
"Encryption Phase 1-6 ✅" with the one-line summary.
🟢 backlog status table
#13 SSE buffer flips to ✅ via Backlog 2.
#14 Tombstone cleanup loop flips to ✅ via Sprint 4+.
#18 Activity log flips to ✅ via Backlog 3.
New Section 5 — Encryption Pipeline
Documents the trust model end-to-end:
- Where each piece lives (mana-auth env KEK, wrapped MK in
encryption_vaults, browser sessionStorage, IndexedDB blobs)
- The complete table-by-table list of WHAT is encrypted and
WHAT stays plaintext, with the per-table reasoning for the
plaintext exceptions (dreamSymbols.name for indexed lookup,
cycleDayLogs.symptoms for Set-diff, inventar.invItems.name
for index, etc.)
- "Was Mana technisch (nicht) sehen kann" — three-level honest
disclosure: never / theoretically / structurally
Section 6 — Backlog
Reorders by remaining encryption work first:
1. Phase 7 cross-module title coverage (timeBlocks coupling)
2. Phase 7 server-pushed records (picture/storage/music)
3. Phase 7 storeless modules (nutriphi/uload/context/questions)
4. Phase 8 recovery code opt-in for true zero-knowledge
5. Conflict viz UI
6. Composite indexes for multi-account
7. V3 migration tests
Stärken (Section 7)
Adds the encryption-specific properties: dedicated crypto/ sub-
module entkoppelt vom sync layer, vault-singleton via
vault-instance.ts, dimension "Vertraulichkeit" added to the
final tagline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4bdf4238ce