Skip to content

feat(storage): per-credential opt-in to keep ciphertext on-device only#10

Merged
valehdba merged 1 commit into
mainfrom
feat/local-only-storage
May 9, 2026
Merged

feat(storage): per-credential opt-in to keep ciphertext on-device only#10
valehdba merged 1 commit into
mainfrom
feat/local-only-storage

Conversation

@valehdba

@valehdba valehdba commented May 9, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a Store on this device only toggle to the Add Credential form. Items the user opts in for are encrypted with the same vault key as everything else, then persisted to the browser's IndexedDB instead of sent to the server. The encryption story is unchanged — a locked vault makes both server-fetched and local-only items unreadable.

For users who don't opt in (everyone, by default) the existing zero-knowledge guarantee is unchanged.

Screenshots

The new toggle in the Add form, with the trade-off warning copy:

Add credential form with the Store-on-device toggle enabled

The grid now renders a green DEVICE badge next to the name of any local-only row (visible on oracle-erp-bastion here):

Vault grid with a Device badge on the local-only row

What's in the diff

packages/web/src/storage/ — new module

  • local.ts — IndexedDB wrapper. Hand-rolled (no idb dep) to fit the project's dependency-minimal style. Records keyed by client-generated UUIDv4, indexed by lowercased vault email, atomic per-call transactions, descriptive errors.
  • unified.ts — facade exposing + "listAll" + / + "createItem" + / + "deleteItem" + that fan out over the server vault and the local store. Returned items carry a + "location: "server" | "local"" + tag set by the facade (NOT a field inside the encrypted plaintext, so no migration of existing items is needed). Local-store read failures fall back to an empty list with a console warning so a corrupt local store can't block access to server items.

Schema — unchanged

+ "VaultLoginPlaintext" + stays exactly as-is. The storage location is metadata attached at list time on the + "DecryptedItem" + wrapper. Existing items are implicitly + "location: "server"" + .

UI

  • AddCredentialForm: new toggle with warning copy — no sync, cleared if site data is cleared, single point of failure. Toggle defaults off.
  • CredentialsGrid: renders a green + "DEVICE" + badge next to the name of any local-only row. Badge is a sibling of the name span (not a child) so it stays visible while the long name truncates with ellipsis.
  • VaultPage: wires through the unified facade so every list / create / delete routes to the right store automatically. Bulk-delete maps each selected id to its location before issuing the per-store deletes.

Adjacent fix

Bulk-delete toast captured + "selected.size" + after + "setSelected(new Set())" + , which would render "0 credential(s) deleted". Captured the count first.

Decisions made up front (per design discussion)

Decision Choice
Pre-abstract for future SQLite/Tauri backend? No — premature, designs the seams in the wrong place. + "local.ts" + is already a small module boundary, easy to swap
Secondary passphrase for local items? No — narrow security benefit, lasting complexity (key wrapping, recovery flow, lockout)
Bulk Move-to-server / Move-to-device? No (v1) — server↔local move is two-step (write here, delete there), needs atomicity thinking. Edit-time toggle is enough for v1

Verification

  • + "npm run typecheck --workspaces" + — clean across core / web / extension
  • + "npm test --workspaces" + 56 passed (48 connect + 8 new local-storage tests)
  • + "npm run build --workspace=@passman/web" + — clean
  • Bundle impact: CSS +0.24 KB, JS +1.41 KB gzipped

Test plan

  • Build clean
  • Typecheck clean
  • 8 IndexedDB tests passing (round-trip, vault isolation, lowercasing, ordering, delete-and-report, count, ciphertext-shape, uniqueness)
  • Manual: add a credential with the toggle off, verify it round-trips through the server normally
  • Manual: add a credential with the toggle on, verify it appears in the grid with a + "DEVICE" + badge
  • Manual: lock the vault, unlock — local-only items still readable via the same vault key
  • Manual: delete a local-only item, verify it's removed from IndexedDB (DevTools → Application → IndexedDB → + "passman-local-vault" + )
  • Manual: clear site data, verify local-only items are gone but server items reappear after re-login

🤖 Generated with Claude Code

Adds a "Store on this device only" toggle to the Add Credential form.
Items the user opts in for are encrypted with the same vault key as
everything else, then persisted to the browser's IndexedDB instead of
sent to the server. The encryption story is unchanged — a locked vault
makes both server-fetched and local-only items unreadable.

For users who don't opt in (everyone, by default) the existing
zero-knowledge guarantee is unchanged.

## What's in the diff

### `packages/web/src/storage/` — new module

- `local.ts` — IndexedDB wrapper. Hand-rolled (no `idb` dep) to fit the
  project's dependency-minimal style; ~150 lines including jsdoc.
  - Records keyed by client-generated UUIDv4
  - `vault` index (lowercased email) so two accounts sharing a browser
    see disjoint items
  - Atomic per-call transactions, descriptive errors, no silent failures
- `unified.ts` — facade exposing `listAll` / `createItem` / `deleteItem`
  that fan out over the server vault and the local store. Returned
  items carry a `location: "server" | "local"` tag set by the facade
  (NOT a field inside the encrypted plaintext, so no migration of
  existing items is needed).
  - Local-store read failures fall back to an empty list with a console
    warning so a corrupt local store can't block access to server items.

### Schema (no change)

`VaultLoginPlaintext` is unchanged. The storage location is metadata
about *where the ciphertext came from*, attached at list time on the
`DecryptedItem` wrapper type. Existing items are implicitly
`location: "server"`.

### UI

- AddCredentialForm grows a "Store on this device only" toggle with
  warning copy: no sync, cleared if site data is cleared, single point
  of failure. Toggle defaults off.
- CredentialsGrid renders a green `DEVICE` badge next to the name of
  any local-only row. The badge is a sibling of the name span (not a
  child) so it stays visible while the long name truncates with
  ellipsis — verified in the regenerated screenshots.
- VaultPage wires through the unified facade so every list / create /
  delete routes to the right store automatically. The bulk-delete
  toolbar maps each selected id to its location before issuing the
  per-store deletes.

Adjacent fix: bulk-delete toast captured `selected.size` AFTER
`setSelected(new Set())`, which would render "0 credential(s) deleted".
Captured the count first.

### Tests

- 8 new vitest tests in `tests/local-storage.test.ts` covering:
  round-trip, vault-key lowercasing, per-vault isolation, ordering by
  creation time, delete-and-report, count, ciphertext-shape contract,
  per-row uniqueness. Total web tests: 56 passing (was 48).
- `fake-indexeddb/auto` polyfills `globalThis.indexedDB` for Node tests;
  the production code runs unmodified.

### Docs

- `docs/USER_GUIDE.md` gains §5a explaining the toggle, what it stores,
  and the explicit trade-off list (no sync, cleared by site-data wipe,
  no off-device backup).
- `docs/preview/vault*.html` mockups updated to mirror the new live
  DOM structure (`name-row` wrapper around the name + optional badge).
  All preview screenshots regenerated.

### Bundle impact

CSS: 4.48 KB → 4.72 KB gzipped (+0.24 KB)
JS:  75.53 KB → 76.94 KB gzipped (+1.41 KB)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@valehdba valehdba merged commit 49a3d3e into main May 9, 2026
9 checks passed
@valehdba valehdba deleted the feat/local-only-storage branch May 9, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant