Skip to content

Initial PRD attempt#1

Merged
FSM1 merged 1 commit into
mainfrom
initial-PRD
Jan 15, 2026
Merged

Initial PRD attempt#1
FSM1 merged 1 commit into
mainfrom
initial-PRD

Conversation

@FSM1

@FSM1 FSM1 commented Jan 15, 2026

Copy link
Copy Markdown
Owner
  • Introduced PRD.md detailing the CipherBox product, its goals, user personas, functional requirements, and technical architecture.
  • Updated README.md to include a brief description of CipherBox and a link to the PRD for more details.

- Introduced PRD.md detailing the CipherBox product, its goals, user personas, functional requirements, and technical architecture.
- Updated README.md to include a brief description of CipherBox and a link to the PRD for more details.
@FSM1 FSM1 merged commit e51c9dd into main Jan 15, 2026
@FSM1 FSM1 deleted the initial-PRD branch January 15, 2026 02:19
FSM1 added a commit that referenced this pull request Feb 2, 2026
ENVIRONMENTS.md:
- Rename section title to "Environment-Specific IPNS Key Derivation"
- Replace "environment salt" terminology with "environment context" throughout
- Remove unused VITE_WEB3AUTH_NETWORK env var (network derived from VITE_ENVIRONMENT)
- Add URL schemes to environment variable reference table

REVIEW-2026-01-25-environments.md:
- Update findings #1, #3, #4 status to "Addressed" with dates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
FSM1 added a commit that referenced this pull request Feb 2, 2026
…ion (#49)

* docs: add comprehensive environment architecture for multi-env isolation

Addresses the Web3Auth key isolation problem where all environments
sharing the same project leads to IPNS sequence number conflicts.

Documents four environments (local, CI, staging, production) with:
- Environment-specific Ed25519 key derivation salt approach
- Docker Compose configurations for offline/online IPFS modes
- Web3Auth network switching (Devnet vs Mainnet)
- Complete env var reference and implementation checklist

* docs: add TEE infrastructure analysis to environment architecture

Extends ENVIRONMENTS.md with detailed TEE layer implications:

- Local/CI: TEE disabled, IPNS can expire, user resets to clean slate
- Staging: TEE active with Phala testnet, needs DHT cleanup strategy
  for orphaned records when Web3Auth testnet IDs become unstable
- Production: Full TEE with monitoring, alerting thresholds, and
  incident runbooks for IPNS staleness detection

Includes:
- TEE environment matrix and configuration per environment
- Staging cleanup job interface for orphaned IPNS records
- Production monitoring requirements (staleness, error rates, latency)
- Implementation checklist for TEE infrastructure rollout
- Incident response runbook for IPNS staleness

* docs: add security review for environment architecture

Security review of ENVIRONMENTS.md found:
- 2 Medium: HKDF parameter naming, random vs derived key migration
- 2 Low: Cross-env data accessibility, mock service /reset endpoint
- 3 Info: TEE epoch design, Web3Auth shared identity, JWT placeholder

Overall assessment: APPROVED WITH CONCERNS
Core cryptographic approach is sound, needs clarification before impl.

* docs: address CodeRabbit review comments

- Clarify HKDF salt vs info usage to match RFC 5869 best practices
- Add security warning about cross-environment CID leakage risks
- Add safety note for /reset endpoint (local/CI only)
- Add language tags to fenced code blocks (bash, text)
- Add blank lines around alerting thresholds table (MD058)
- Replace absolute paths with repo-relative paths

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: address Copilot and additional CodeRabbit comments

ENVIRONMENTS.md:
- Rename section title to "Environment-Specific IPNS Key Derivation"
- Replace "environment salt" terminology with "environment context" throughout
- Remove unused VITE_WEB3AUTH_NETWORK env var (network derived from VITE_ENVIRONMENT)
- Add URL schemes to environment variable reference table

REVIEW-2026-01-25-environments.md:
- Update findings #1, #3, #4 status to "Addressed" with dates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: address CodeRabbit review comments for TEE architecture

- Add comprehensive TEE Key Encryption Architecture section:
  - Document threat model and security goals
  - Add encryption flow diagram (client -> API -> TEE)
  - Specify ECIES over secp256k1 as encryption primitive
  - Document TEE public key distribution with attestation
  - Define key epoch rotation scheme with 1-week grace period
  - Add epoch validation logic and error handling
  - Document forward secrecy considerations

- Update security review findings:
  - Mark TEE epoch rotation finding (#5) as addressed
  - Add comprehensive private key security test cases:
    - Test that private keys are never logged
    - Test that keys are not stored in localStorage/sessionStorage
    - Test that only encrypted keys are sent to TEE
    - Test IPNS signature verification prevents forgery

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
FSM1 added a commit that referenced this pull request Mar 4, 2026
- Extract clearAllUserStores() helper used by both useAuth logout and
  apiClient 401 interceptor, ensuring all stores are cleared on every
  logout path (addresses Copilot comments #1 and #2)
- Extract initialState constant in quota store so reset() and init
  values cannot drift (addresses Copilot comment #4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: ef84f2610701
FSM1 added a commit that referenced this pull request Mar 4, 2026
* fix(web): clear share and quota stores on logout

Share store's clearShares() was defined but never called during logout,
causing stale share data to persist across sessions. Quota store had no
reset method at all. Both are now cleared in the useAuth logout sequence.

Closes M2 tech debt items from milestone audit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: b5b5f70621d5

* docs(quick-023): M2 tech debt store logout cleanup

Quick task completed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: 89f45663f542

* fix(web): centralize store cleanup and address PR review comments

- Extract clearAllUserStores() helper used by both useAuth logout and
  apiClient 401 interceptor, ensuring all stores are cleared on every
  logout path (addresses Copilot comments #1 and #2)
- Extract initialState constant in quota store so reset() and init
  values cannot drift (addresses Copilot comment #4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: ef84f2610701

* fix(web): add session version guard to quota store fetchQuota

Prevents in-flight fetchQuota() responses from repopulating cleared
state after reset/logout. Flagged by both Copilot and CodeRabbit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: 4d1d4cd4dad6

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
FSM1 added a commit that referenced this pull request Mar 29, 2026
Phase 9 items #13-19 all resolved across later phases:
- #13 ThrottlerGuard applied to auth controller
- #14 IPNS URL encoding added in Rust SDK extraction
- #15 Debug eprintln! removed before Phase 9 merge
- #16 Private key console.log removed in Phase 28
- #17 Ed25519 key_bytes zeroized in Rust SDK extraction
- #18 Already marked resolved (PublishCoordinator)
- #19 Sync errors sanitized via sanitize_error()

12 Phase 5 items (#1-12) remain open — all low severity
input validation and defense-in-depth improvements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: d2581dc98652
FSM1 added a commit that referenced this pull request Mar 29, 2026
* docs: move structured logging to implemented in DEFERRED.md

Phase 28 implemented the structured logging wrapper (lib/logger.ts),
replacing 127 direct console.* calls. All 12 pending todos verified
still pending — no other changes needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 9faf72d8548e

* docs: mark 7 resolved items in security low-severity backlog

Phase 9 items #13-19 all resolved across later phases:
- #13 ThrottlerGuard applied to auth controller
- #14 IPNS URL encoding added in Rust SDK extraction
- #15 Debug eprintln! removed before Phase 9 merge
- #16 Private key console.log removed in Phase 28
- #17 Ed25519 key_bytes zeroized in Rust SDK extraction
- #18 Already marked resolved (PublishCoordinator)
- #19 Sync errors sanitized via sanitize_error()

12 Phase 5 items (#1-12) remain open — all low severity
input validation and defense-in-depth improvements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: d2581dc98652

* docs: add Phase 34 E2E Test Expansion & Staging Baselines

Consolidates 6 pending testing todos into a single phase:
- AES-CTR streaming playback E2E tests
- Batch download zip E2E tests
- Media preview E2E test suite
- Shared deleteAccount teardown across all specs
- BYO-IPFS load test baselines on staging
- Staging metrics baselines with Faro instrumentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: d8dd0c8c05c8

* docs: align DEFERRED.md footer date with header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: b6a6c2383250

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
FSM1 added a commit that referenced this pull request May 25, 2026
- Scope Tauri events per attempt via port-specific event names (review #1)
- Validate POST requests with server-generated nonce (review #2)
- Use absolute deadline instead of per-connection timeout (review #3)
- Use actual popup counter value for cleanup (review #4)
- Fail fast when all preferred ports are taken (review #6)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 172d4ce72f72
FSM1 added a commit that referenced this pull request May 25, 2026
…#459)

* fix(desktop): use localhost callback server for Google OAuth in Tauri

Google OAuth rejects custom URI schemes like `tauri://localhost` which
is what `window.location.origin` resolves to in production Tauri builds.
This caused Error 400: invalid_request when attempting Google login.

Replace the localStorage-polling approach with a temporary localhost HTTP
server (Rust-side) that receives the OAuth redirect, extracts the id_token
from the URL fragment via an injected callback page, and emits it back to
the main webview via a Tauri event.

- Add `start_oauth_server` Tauri command with preferred port selection
  (14200-14202) and random fallback
- Rewrite `getGoogleCredential()` to use the callback server + Tauri
  event listener instead of localStorage polling
- Add `core:event:default` permission for Tauri event API access
- Content-Length-aware HTTP body reading for reliable POST parsing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 51734dbce9b4

* chore(release): set release targets for PR #459

* fix(desktop): address PR review comments on OAuth callback server

- Scope Tauri events per attempt via port-specific event names (review #1)
- Validate POST requests with server-generated nonce (review #2)
- Use absolute deadline instead of per-connection timeout (review #3)
- Use actual popup counter value for cleanup (review #4)
- Fail fast when all preferred ports are taken (review #6)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 172d4ce72f72

* docs: implement temporary localhost HTTP server for Google OAuth callback in Tauri

Entire-Checkpoint: ac0f39da9ff3

* fix(desktop): address second round of PR review comments

- Update JSDoc to reflect fixed-port strategy (no dynamic/loopback)
- Validate OAuth state before handling errors (prevents DoS via crafted error)
- Loop-read TCP until headers are complete before parsing Content-Length
- Update debug doc to match current implementation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 72dff9156bda

* fix(desktop): address CodeRabbit review on OAuth callback server

- Move cleanup() after state validation to prevent promise hang on mismatch
- Use OsRng (CSPRNG) instead of thread_rng for nonce generation
- Remove Access-Control-Allow-Origin: * from GET responses (prevents
  local pages from fetching callback HTML to steal the nonce)
- Close OAuth popup windows on server timeout
- Gate callback HTML serving to /callback path only (404 for others)
- Remove stale review-cycle comment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 60247aaac75c

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant