mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-15 03:21:08 +02:00
bed08a1aa6
First module with at-rest encryption flipped on. The notes table's
title + content are now encrypted with AES-GCM-256 before any write
hits Dexie, decrypted on every read coming back through liveQuery,
and travel as opaque ciphertext through the sync wire (pending
changes, server push, applyServerChanges, the lot).
What changes for the user
- Nothing visible. Optimistic UI render still uses the plaintext
snapshot returned by createNote(). Edits look identical to the
old Phase 3 behaviour. The difference is invisible until you
crack open DevTools → Application → IndexedDB → mana → notes,
where you'll see ciphertext instead of "Buy milk".
What changes on disk
- notes.title and notes.content store ciphertext blobs
(`enc:1:<iv-b64>.<ct-b64>`)
- All other columns (id, color, isPinned, isArchived, createdAt,
updatedAt, deletedAt, userId, __fieldTimestamps) stay plaintext
so liveQuery filtering, sorting, and Field-Level LWW continue to
work without changes.
- _pendingChanges.data carries the same ciphertext blobs — server
receives opaque values, never plaintext.
Files
registry.ts
notes flipped to enabled:true with the corrected field list
['title', 'content'] (the schema has no 'body' column).
aes.test.ts
Existing assertion that "Phase 1 has no encrypted tables" is
rewritten as "notes is enabled in Phase 4" so the registry flip
doesn't break the foundation suite.
record-helpers.ts
encryptRecord/decryptRecord/decryptRecords loosen the generic
constraint from `T extends Record<string, unknown>` to
`T extends object`. Domain types like LocalNote work as direct
arguments without an `as Record<string, unknown>` cast at every
call site. Internal field reads/writes go through a sealed
Record-shaped view.
notes/stores/notes.svelte.ts
createNote: snapshots the plaintext for the optimistic return
value, then encryptRecord('notes', record) before noteTable.add.
updateNote: encrypts the diff in place; non-encrypted fields
(color, isPinned, isArchived) pass through untouched.
togglePin / archiveNote / deleteNote: untouched — they only
update plaintext columns.
notes/queries.ts
useAllNotes: filter on plaintext metadata first (deletedAt,
isArchived) so the decrypt workload is bounded by the visible
set, not the whole table. Then decryptRecords across what's
left, then map+sort.
useNote(id): new helper for detail views.
notes-encryption.test.ts (new — 8 cases)
End-to-end against fake-indexeddb with a real Web Crypto master
key in MemoryKeyProvider:
1. Title + content land as ciphertext on disk
2. Structural fields stay plaintext on disk
3. updateNote re-encrypts modified content but leaves flags
4. togglePin / archiveNote produce byte-identical title blobs
(i.e. no spurious re-encryption)
5. _pendingChanges.data carries ciphertext + plaintext metadata
6. Wrong-key decrypt fails closed (returns blobs, not garbage)
7. Locked vault refuses new writes with VaultLockedError
8. Locked vault still serves blobs without crashing on read
Test bilanz: 4 crypto-related test files, 64/64 passing
(31 AES + 12 record-helpers + 12 vault-client + 8 notes E2E + 1 misc).
Full mana/web suite: 20 files, 262/262 tests passing.
Stand der encryption pipeline:
Phase 1 ✅ Foundation (
|
||
|---|---|---|
| .. | ||
| api | ||
| calc/packages/shared | ||
| calendar | ||
| cards | ||
| chat | ||
| citycorners | ||
| contacts | ||
| context | ||
| docs | ||
| guides | ||
| inventar | ||
| mana | ||
| manacore/apps/web/src/lib | ||
| manavoxel | ||
| matrix | ||
| memoro | ||
| moodlit | ||
| mukke | ||
| news | ||
| nutriphi | ||
| photos | ||
| picture | ||
| planta | ||
| presi | ||
| questions | ||
| skilltree | ||
| storage | ||
| times | ||
| todo | ||
| traces | ||
| uload | ||
| zitare/packages/content | ||