+1

CHANGELOG.md

··· 12 12 - Remove bearer token authentication fallback from AppView (#109) 13 13 14 14 ### Added 15 15 + - Update docs for security hardening and opake-derive crate (#131) 15 16 - Add inbox CLI command for discovering shared grants via appview (#128) 16 17 - Add inbox CLI command for discovering shared grants via appview (#128) 17 18 - Audit workspace dependencies for consolidation and upgrades (#110)

+5

CONTRIBUTING.md

··· 38 38 - SQLite storage (WAL mode) 39 39 - Axum API with DID-scoped Ed25519 auth 40 40 - rate limiting via tower_governor 41 41 + 42 42 + opake-derive proc-macro crate 43 43 + - #[derive(RedactedDebug)] with #[redact] field attribute 44 44 + - generates Debug impls showing byte length instead of content 45 45 + - used by opake-core (ContentKey, Session) and opake-cli (Identity) 41 46 ``` 42 47 43 48 `opake-core` must never depend on filesystem, stdin, or any platform-specific API. All I/O happens in the binary crates.

+2 -1

README.md

··· 96 96 97 97 ## Architecture 98 98 99 99 - Three crates: 99 99 + Four crates: 100 100 101 101 - **`opake-core`** — platform-agnostic library (compiles to WASM). Encryption, records, XRPC client, document operations. 102 102 - **`opake-cli`** — thin CLI wrapper. Config, session, identity persistence. 103 103 - **`opake-appview`** — Axum-based indexer and REST API. Jetstream firehose consumer, SQLite storage, DID-scoped Ed25519 auth. 104 104 + - **`opake-derive`** — Proc-macro crate. `RedactedDebug` derive macro for secret-safe Debug output. 104 105 105 106 See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the encryption model, crate structure, and design decisions. See [docs/FLOWS.md](docs/FLOWS.md) for sequence diagrams of every operation. 106 107

+12 -1

docs/ARCHITECTURE.md

··· 151 151 index.rs Indexer only 152 152 serve.rs API only 153 153 status.rs Print cursor + stats 154 154 + 155 155 + opake-derive/ Proc-macro crate (RedactedDebug derive) 156 156 + src/ 157 157 + lib.rs #[derive(RedactedDebug)] + #[redact] attribute 154 158 ``` 155 159 156 160 The boundary is strict: `opake-core` never touches the filesystem, stdin, or any platform-specific API. All I/O happens in the binary crates. This keeps `opake-core` compilable to WASM for the future web UI. ··· 267 271 accounts/ 268 272 <did>/ 269 273 session.json JWT tokens 270 270 - identity.json X25519 + Ed25519 keypairs (plaintext for MVP) 274 274 + identity.json X25519 + Ed25519 keypairs (0600, checked on load) 271 275 keyrings/ 272 276 <rkey>.json Group keys for each keyring (per-rotation) 273 277 ``` ··· 275 279 Group keys are stored locally because they never appear in plaintext on the PDS — only wrapped copies exist in the keyring record. Each keyring file holds an array of `{ rotation, group_key }` entries so that keys from previous rotations remain available for decrypting older documents. Legacy files (single `group_key` without rotation) are auto-migrated to rotation 0 on read. 276 280 277 281 The `--as <handle-or-did>` flag overrides the default account for any command. Future improvement: seed phrase derivation for the keypair instead of storing it in plaintext. 282 282 + 283 283 + ## File Permissions 284 284 + 285 285 + All sensitive files (identity, session, config, keyring keys) are written with 286 286 + 0600 permissions. Directories are created with 0700. Loading `identity.json` 287 287 + checks permissions and bails with a `chmod 600` hint if the file is 288 288 + group- or world-readable, matching SSH's `StrictModes` behavior.