mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 19:01:08 +02:00
c7af693c6d
Before: adding a new Dexie table left the encryption decision implicit.
If you forgot to register it, the table silently shipped in plaintext
forever — no error, no warning, no footprint anywhere. The architecture
audit flagged this as the root of Concern 1.
- `scripts/audit-crypto-registry.mjs` parses database.ts's `.stores()`
blocks and registry.ts's entries, then enforces three invariants:
1. Every Dexie table is either in the encryption registry OR in the
new `plaintext-allowlist.ts` — one conscious classification per
table.
2. No dead registry entries (referring to tables that no longer
exist in Dexie).
3. No table appears in both — single authoritative source.
- `plaintext-allowlist.ts` auto-seeded from current state. 105 entries,
each tagged `// TODO: audit` as an invitation to review whether the
table truly holds nothing sensitive. The allowlist is intentionally
a separate file so additions are reviewable on their own (not buried
inside database.ts schema bumps).
- Wired into `pnpm run check:crypto` + CI validate job — a new table
now fails the PR check instead of slipping past review.
- `check:crypto:seed` regenerates the allowlist if ever needed.
Verified: drift simulation (removing aiMissions from the allowlist)
fails the audit with a clear message pointing at the missing
classification. Current state passes: 187 Dexie tables, 82 encrypted,
105 explicit plaintext.
Concern 1 is now fully closed (A: typed registry entries, B: dev-mode
runtime drift check, C: build-time audit enforcing coverage).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| dev | ||
| mac-mini | ||
| test-data | ||
| test-reporting | ||
| audit-complexity.mjs | ||
| audit-crypto-registry.mjs | ||
| audit-module-coupling.mjs | ||
| audit-modules.mjs | ||
| audit-theme-tokens.mjs | ||
| audit-workspace-deps.mjs | ||
| backup-monitoring.sh | ||
| build-complexity-map.mjs | ||
| check-status.sh | ||
| create-gift-codes.mjs | ||
| deploy-metrics.sh | ||
| ecosystem-audit.mjs | ||
| fix-mixed-imports.mjs | ||
| generate-dockerfiles.mjs | ||
| generate-env.mjs | ||
| generate-status-page.sh | ||
| lighthouse-audit.sh | ||
| run-integration-tests.sh | ||
| run-tests-with-coverage.sh | ||
| setup-databases.sh | ||
| setup-secrets.mjs | ||
| test-chat-auth.sh | ||
| validate-cloudflared-config.mjs | ||
| validate-dockerfiles.mjs | ||
| validate-monorepo.mjs | ||