Implement Enterprise-Grade Database Encryption System #244

2025-09-16T02:38:53Z

ZacharyZcR commented

2025-09-16 02:38:53 +00:00

(Migrated from github.com)

Summary

This PR implements a comprehensive database encryption system that provides enterprise-grade security for SSH credentials, passwords, and authentication tokens stored in Termix.

🔐 Core Security Features

AES-256-GCM authenticated encryption for all sensitive data fields
Device-bound master key protection (KEK) using hardware fingerprinting
PBKDF2 + HKDF key derivation with 100,000 iterations for cryptographic strength
Automatic key management with secure storage and rotation capabilities

🛡️ Data Protection Coverage

SSH private keys and key passphrases
User passwords and authentication credentials
2FA/TOTP secrets and backup codes
All sensitive configuration data

🚀 User Experience Improvements

Zero-configuration startup - encryption initializes automatically
Seamless migration for existing databases with dry-run capability
Admin interface integration with comprehensive encryption management
Intelligent migration detection - only prompts when actual unencrypted data exists
Full internationalization support (English/Chinese)

🔧 Technical Implementation

Transparent encryption layer using EncryptedDBOperations wrapper
Backward compatibility with existing plaintext data during migration
Database schema migrations for new encryption-specific fields
Comprehensive error handling and security logging
TypeScript type safety throughout the encryption pipeline

📊 Migration & Status Features

Smart migration detection - new databases don't show false migration warnings
Three-state migration status: completed, required, or not needed
Safe migration process with automatic backups and rollback capability
Real-time encryption status monitoring in admin interface

🏗️ Architecture Highlights

Modular design with separate encryption, key management, and migration components
Secure startup sequence ensuring encryption initializes before data access
Device fingerprint protection prevents key extraction even with database access
Field-level encryption with unique keys per data type for security isolation

This implementation follows security best practices and provides enterprise-level protection while maintaining ease of use for administrators.

Test Plan

Verify encryption initialization on fresh installations
Test migration process with existing unencrypted data
Confirm all write operations use encryption layer
Validate device fingerprint protection works across restarts
Test admin interface encryption management functionality
Verify backward compatibility with existing deployments

🤖 Generated with Claude Code

Summary by CodeRabbit

New Features
- Database encryption added with an Admin “Database Security” panel to initialize, view status, and migrate existing data; includes health checks and migration dry-run.
- SSH credentials upgraded: separate private/public key storage, automatic key-type detection, key-pair generation, public-key derivation/validation, and one-click deploy of SSH keys to hosts. Updated editor and manager UIs.
Documentation
- New Security Guide describing encryption setup, migration steps, best practices, troubleshooting, and compliance considerations.

## Summary This PR implements a comprehensive database encryption system that provides enterprise-grade security for SSH credentials, passwords, and authentication tokens stored in Termix. ### 🔐 Core Security Features - **AES-256-GCM authenticated encryption** for all sensitive data fields - **Device-bound master key protection (KEK)** using hardware fingerprinting - **PBKDF2 + HKDF key derivation** with 100,000 iterations for cryptographic strength - **Automatic key management** with secure storage and rotation capabilities ### 🛡️ Data Protection Coverage - SSH private keys and key passphrases - User passwords and authentication credentials - 2FA/TOTP secrets and backup codes - All sensitive configuration data ### 🚀 User Experience Improvements - **Zero-configuration startup** - encryption initializes automatically - **Seamless migration** for existing databases with dry-run capability - **Admin interface integration** with comprehensive encryption management - **Intelligent migration detection** - only prompts when actual unencrypted data exists - **Full internationalization** support (English/Chinese) ### 🔧 Technical Implementation - **Transparent encryption layer** using `EncryptedDBOperations` wrapper - **Backward compatibility** with existing plaintext data during migration - **Database schema migrations** for new encryption-specific fields - **Comprehensive error handling** and security logging - **TypeScript type safety** throughout the encryption pipeline ### 📊 Migration & Status Features - **Smart migration detection** - new databases don't show false migration warnings - **Three-state migration status**: completed, required, or not needed - **Safe migration process** with automatic backups and rollback capability - **Real-time encryption status** monitoring in admin interface ### 🏗️ Architecture Highlights - **Modular design** with separate encryption, key management, and migration components - **Secure startup sequence** ensuring encryption initializes before data access - **Device fingerprint protection** prevents key extraction even with database access - **Field-level encryption** with unique keys per data type for security isolation This implementation follows security best practices and provides enterprise-level protection while maintaining ease of use for administrators. ## Test Plan - [x] Verify encryption initialization on fresh installations - [x] Test migration process with existing unencrypted data - [x] Confirm all write operations use encryption layer - [x] Validate device fingerprint protection works across restarts - [x] Test admin interface encryption management functionality - [x] Verify backward compatibility with existing deployments 🤖 Generated with [Claude Code](https://claude.ai/code)  ## Summary by CodeRabbit * **New Features** * Database encryption added with an Admin “Database Security” panel to initialize, view status, and migrate existing data; includes health checks and migration dry-run. * SSH credentials upgraded: separate private/public key storage, automatic key-type detection, key-pair generation, public-key derivation/validation, and one-click deploy of SSH keys to hosts. Updated editor and manager UIs. * **Documentation** * New Security Guide describing encryption setup, migration steps, best practices, troubleshooting, and compliance considerations.

coderabbitai[bot] commented

2025-09-16 02:39:00 +00:00

(Migrated from github.com)

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds database field-level encryption, key management, and migration utilities; exposes encryption REST endpoints; updates server startup to initialize encryption; expands DB schema for SSH keys; rewires DB CRUD through encrypted operations; enhances SSH credential routes with key parsing/generation/deployment; updates SSH runtime to prefer new privateKey; and adds corresponding admin and credential UI plus API wrappers.

Changes

Cohort / File(s)	Summary
Security documentation `SECURITY.md`	New security guide detailing AES-256-GCM DB encryption, configuration, migration, verification, and operational practices.
Encryption core utilities `src/backend/utils/encryption.ts`, `src/backend/utils/database-encryption.ts`, `src/backend/utils/encryption-key-manager.ts`, `src/backend/utils/master-key-protection.ts`	Introduces field-level encryption (AES-256-GCM), encryption context/init/status, KEK-protected master key manager, and device-fingerprint-bound key protection.
Encrypted DB operations & migration `src/backend/utils/encrypted-db-operations.ts`, `src/backend/utils/encryption-migration.ts`, `src/backend/utils/encryption-test.ts`	Adds encrypted CRUD wrappers, health check, per-table migration, migration CLI/flow, status helpers, and an encryption test harness.
Server startup and encryption endpoints `src/backend/starter.ts`, `src/backend/database/database.ts`	Server now initializes encryption on startup and exposes new endpoints: `/encryption/status`, `/encryption/initialize`, `/encryption/migrate`, `/encryption/regenerate`.
DB schema and migration `src/backend/database/db/index.ts`, `src/backend/database/db/schema.ts`	Adds `ssh_credentials` columns: `private_key`, `public_key`, `detected_key_type` and corresponding TS schema fields; migration guarded by add-if-not-exists.
SSH credential routes and utilities `src/backend/database/routes/credentials.ts`, `src/backend/utils/ssh-key-utils.ts`	Extends credentials API: key parsing/detection/validation, keypair generation, public key derivation, encrypted DB access, and deploy-to-host via SSH.
SSH runtime consumers `src/backend/ssh/terminal.ts`, `src/backend/ssh/tunnel.ts`, `src/backend/ssh/server-stats.ts`, `src/backend/database/routes/ssh.ts`	Consumers now read via encrypted ops and prefer `privateKey` over legacy `key`; host/credential fetches wrapped with encrypted selects.
Admin encryption UI `src/ui/Desktop/Admin/AdminSettings.tsx`	Adds Database Security tab to show encryption/key status, initialize encryption, and run migrations (with dry-run).
Credentials UI & API `src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx`, `src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx`, `unified_key_section.tsx`, `src/ui/main-axios.ts`	Adds key type detection, keypair/public key generation, deploy-to-host flow with modal, unified key section component, and new API wrappers for key ops/deploy. Tightens error propagation.
Types `src/types/index.ts`	Adds optional `publicKey?: string` to `Credential` and `CredentialData`.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Admin
  participant Server as Backend Server
  participant Enc as DatabaseEncryption
  participant KM as EncryptionKeyManager
  participant DB as DB/Settings

  Note over Server: Startup
  Server->>Enc: initialize()
  Enc->>KM: getOrInitMasterKey()
  KM->>DB: load/store protected key
  KM-->>Enc: masterPassword
  Enc-->>Server: context ready
  Server-->>Admin: Server ready (routes include /encryption/*)

  Note over Admin,Server: Status and initialization
  Admin->>Server: GET /encryption/status
  Server->>Enc: getDetailedStatus()
  Enc->>KM: getEncryptionStatus()
  Enc-->>Server: status + key info
  Server-->>Admin: JSON status

  Admin->>Server: POST /encryption/initialize
  Server->>KM: generate/retrieve key
  Server->>Enc: initialize({ masterPassword })
  Server-->>Admin: { success, keyPreview }

sequenceDiagram
  autonumber
  actor User as User (UI)
  participant API as Credentials Routes
  participant EOps as EncryptedDBOperations
  participant Enc as DatabaseEncryption
  participant DB as DB (ssh_credentials)

  Note over User,API: Create/Update credential (key-based)
  User->>API: POST /credentials { privateKey, publicKey, ... }
  API->>EOps: insert(ssh_credentials, data)
  EOps->>Enc: encryptRecord('ssh_credentials', data)
  Enc-->>EOps: encryptedData
  EOps->>DB: INSERT encryptedData RETURNING *
  DB-->>EOps: row*
  EOps->>Enc: decryptRecord('ssh_credentials', row)
  Enc-->>EOps: decryptedRow
  EOps-->>API: decryptedRow
  API-->>User: credential JSON (incl. publicKey, detectedKeyType)

sequenceDiagram
  autonumber
  actor User as User (UI)
  participant API as /credentials/:id/deploy-to-host
  participant EOps as EncryptedDBOperations
  participant SSH as ssh2 Client
  participant Host as Target Host

  User->>API: POST deploy-to-host { targetHostId }
  API->>EOps: select credential + host (encrypted)
  EOps-->>API: decrypted credential, host
  API->>SSH: connect(hostConfig)
  SSH->>Host: exec mkdir ~/.ssh && append publicKey
  SSH-->>API: success/failure
  API-->>User: { success, message }

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

LukeGus/Termix#221 — Also modifies ssh_credentials schema and credential routes; overlaps with key storage changes.
LukeGus/Termix#234 — Adds similar credential key handling (generation/validation/deployment) and updates terminal/tunnel resolution logic.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 38.24% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Implement Enterprise-Grade Database Encryption System" accurately and concisely captures the primary change in this PR—the introduction of a comprehensive database encryption subsystem (key management, field-level encryption, migration, and admin UI). It is specific, relevant to the changeset, and clear for teammates scanning history.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

> [!IMPORTANT] > ## Review skipped > > Auto reviews are disabled on base/target branches other than the default branch. > > > > Please check the settings in the CodeRabbit UI or the `.coderabbit.yaml` file in this repository. To trigger a single review, invoke the `@coderabbitai review` command. > > You can disable this status message by setting the `reviews.review_status` to `false` in the CodeRabbit configuration file.   ## Walkthrough Adds database field-level encryption, key management, and migration utilities; exposes encryption REST endpoints; updates server startup to initialize encryption; expands DB schema for SSH keys; rewires DB CRUD through encrypted operations; enhances SSH credential routes with key parsing/generation/deployment; updates SSH runtime to prefer new privateKey; and adds corresponding admin and credential UI plus API wrappers. ## Changes | Cohort / File(s) | Summary | | --- | --- | | **Security documentation**<br>`SECURITY.md` | New security guide detailing AES-256-GCM DB encryption, configuration, migration, verification, and operational practices. | | **Encryption core utilities**<br>`src/backend/utils/encryption.ts`, `src/backend/utils/database-encryption.ts`, `src/backend/utils/encryption-key-manager.ts`, `src/backend/utils/master-key-protection.ts` | Introduces field-level encryption (AES-256-GCM), encryption context/init/status, KEK-protected master key manager, and device-fingerprint-bound key protection. | | **Encrypted DB operations & migration**<br>`src/backend/utils/encrypted-db-operations.ts`, `src/backend/utils/encryption-migration.ts`, `src/backend/utils/encryption-test.ts` | Adds encrypted CRUD wrappers, health check, per-table migration, migration CLI/flow, status helpers, and an encryption test harness. | | **Server startup and encryption endpoints**<br>`src/backend/starter.ts`, `src/backend/database/database.ts` | Server now initializes encryption on startup and exposes new endpoints: `/encryption/status`, `/encryption/initialize`, `/encryption/migrate`, `/encryption/regenerate`. | | **DB schema and migration**<br>`src/backend/database/db/index.ts`, `src/backend/database/db/schema.ts` | Adds `ssh_credentials` columns: `private_key`, `public_key`, `detected_key_type` and corresponding TS schema fields; migration guarded by add-if-not-exists. | | **SSH credential routes and utilities**<br>`src/backend/database/routes/credentials.ts`, `src/backend/utils/ssh-key-utils.ts` | Extends credentials API: key parsing/detection/validation, keypair generation, public key derivation, encrypted DB access, and deploy-to-host via SSH. | | **SSH runtime consumers**<br>`src/backend/ssh/terminal.ts`, `src/backend/ssh/tunnel.ts`, `src/backend/ssh/server-stats.ts`, `src/backend/database/routes/ssh.ts` | Consumers now read via encrypted ops and prefer `privateKey` over legacy `key`; host/credential fetches wrapped with encrypted selects. | | **Admin encryption UI**<br>`src/ui/Desktop/Admin/AdminSettings.tsx` | Adds Database Security tab to show encryption/key status, initialize encryption, and run migrations (with dry-run). | | **Credentials UI & API**<br>`src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx`, `src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx`, `unified_key_section.tsx`, `src/ui/main-axios.ts` | Adds key type detection, keypair/public key generation, deploy-to-host flow with modal, unified key section component, and new API wrappers for key ops/deploy. Tightens error propagation. | | **Types**<br>`src/types/index.ts` | Adds optional `publicKey?: string` to `Credential` and `CredentialData`. | ## Sequence Diagram(s) ```mermaid sequenceDiagram autonumber actor Admin participant Server as Backend Server participant Enc as DatabaseEncryption participant KM as EncryptionKeyManager participant DB as DB/Settings Note over Server: Startup Server->>Enc: initialize() Enc->>KM: getOrInitMasterKey() KM->>DB: load/store protected key KM-->>Enc: masterPassword Enc-->>Server: context ready Server-->>Admin: Server ready (routes include /encryption/*) Note over Admin,Server: Status and initialization Admin->>Server: GET /encryption/status Server->>Enc: getDetailedStatus() Enc->>KM: getEncryptionStatus() Enc-->>Server: status + key info Server-->>Admin: JSON status Admin->>Server: POST /encryption/initialize Server->>KM: generate/retrieve key Server->>Enc: initialize({ masterPassword }) Server-->>Admin: { success, keyPreview } ``` ```mermaid sequenceDiagram autonumber actor User as User (UI) participant API as Credentials Routes participant EOps as EncryptedDBOperations participant Enc as DatabaseEncryption participant DB as DB (ssh_credentials) Note over User,API: Create/Update credential (key-based) User->>API: POST /credentials { privateKey, publicKey, ... } API->>EOps: insert(ssh_credentials, data) EOps->>Enc: encryptRecord('ssh_credentials', data) Enc-->>EOps: encryptedData EOps->>DB: INSERT encryptedData RETURNING * DB-->>EOps: row* EOps->>Enc: decryptRecord('ssh_credentials', row) Enc-->>EOps: decryptedRow EOps-->>API: decryptedRow API-->>User: credential JSON (incl. publicKey, detectedKeyType) ``` ```mermaid sequenceDiagram autonumber actor User as User (UI) participant API as /credentials/:id/deploy-to-host participant EOps as EncryptedDBOperations participant SSH as ssh2 Client participant Host as Target Host User->>API: POST deploy-to-host { targetHostId } API->>EOps: select credential + host (encrypted) EOps-->>API: decrypted credential, host API->>SSH: connect(hostConfig) SSH->>Host: exec mkdir ~/.ssh && append publicKey SSH-->>API: success/failure API-->>User: { success, message } ``` ## Estimated code review effort 🎯 5 (Critical) | ⏱️ ~120 minutes ## Possibly related PRs - LukeGus/Termix#221 — Also modifies ssh_credentials schema and credential routes; overlaps with key storage changes. - LukeGus/Termix#234 — Adds similar credential key handling (generation/validation/deployment) and updates terminal/tunnel resolution logic.   ## Pre-merge checks and finishing touches <details> <summary>❌ Failed checks (1 warning)</summary> | Check name | Status | Explanation | Resolution | | :----------------: | :--------- | :------------------------------------------------------------------------------------ | :----------------------------------------------------------------------------- | | Docstring Coverage | ⚠️ Warning | Docstring coverage is 38.24% which is insufficient. The required threshold is 80.00%. | You can run `@coderabbitai generate docstrings` to improve docstring coverage. | </details> <details> <summary>✅ Passed checks (2 passed)</summary> | Check name | Status | Explanation | | :---------------: | :------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. | | Title Check | ✅ Passed | The title "Implement Enterprise-Grade Database Encryption System" accurately and concisely captures the primary change in this PR—the introduction of a comprehensive database encryption subsystem (key management, field-level encryption, migration, and admin UI). It is specific, relevant to the changeset, and clear for teammates scanning history. | </details>   --- <sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>

coderabbitai[bot] (Migrated from github.com) reviewed 2025-09-16 02:49:59 +00:00

coderabbitai[bot] (Migrated from github.com) left a comment

Actionable comments posted: 28

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (7)
src/backend/ssh/tunnel.ts (2)
621-626: Security: Avoid echoing sensitive SSH keys in shell commands

Writing the SSH key directly in the shell command exposes it in process listings and shell history. This is a security vulnerability.

Consider using ssh2's native connection forwarding instead of executing shell commands:
-      const keyFilePath = `/tmp/tunnel_key_${tunnelName.replace(/[^a-zA-Z0-9]/g, "_")}`;
-      tunnelCmd = `echo '${resolvedEndpointCredentials.sshKey}' > ${keyFilePath} && chmod 600 ${keyFilePath} && ssh -i ${keyFilePath} -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker} && rm -f ${keyFilePath}`;
+      // Use ssh2's forwardOut method instead of shell commands
+      // This avoids exposing keys in process listings
Alternatively, write the key to a file using Node.js fs module with proper permissions before executing the SSH command.

625-625: Security: Command injection vulnerability with password

Using password directly in shell command with sshpass is vulnerable to command injection if the password contains special characters.

The password needs to be properly escaped:
-      tunnelCmd = `sshpass -p '${resolvedEndpointCredentials.password || ""}' ssh -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker}`;
+      // Escape password to prevent command injection
+      const escapedPassword = (resolvedEndpointCredentials.password || "").replace(/'/g, "'\\''");
+      tunnelCmd = `sshpass -p '${escapedPassword}' ssh -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker}`;
Consider using ssh2's native forwarding capabilities instead of shell commands for better security.
src/backend/database/routes/ssh.ts (5)
44-45: Insecure JWT secret fallback ("secret")

Defaulting to 'secret' enables trivial token forgery in misconfigured environments. Make JWT_SECRET mandatory at startup and fail fast if missing.
- const jwtSecret = process.env.JWT_SECRET || "secret";
+ const jwtSecret = process.env.JWT_SECRET;
+ if (!jwtSecret) {
+   sshLogger.error("JWT_SECRET not set");
+   return res.status(500).json({ error: "Server misconfiguration" });
+ }
61-64: "Internal" endpoint can be accessed remotely with a spoofable header

Allowing x-internal-request: 1 to bypass localhost check defeats the purpose of an internal-only unauthenticated endpoint. Restrict strictly to loopback and/or require a strong shared secret (env) or remove the header bypass.
- if (!isLocalhost(req) && req.headers["x-internal-request"] !== "1") {
+ if (!isLocalhost(req)) {
Optionally add: verify X-Internal-Secret === process.env.INTERNAL_API_SECRET.

201-203: Sensitive writes bypass encryption on ssh_data

In POST /db/host, PUT /db/host/:id, and bulk-import, inserts/updates go directly to ssh_data. This stores password/key in plaintext if encryption is enabled. Wrap writes with the encryption layer.
- const result = await db.insert(sshData).values(sshDataObj).returning();
+ const result = await EncryptedDBOperations.insert('ssh_data', sshDataObj);

- await db.update(sshData).set(sshDataObj).where(...);
+ await EncryptedDBOperations.update('ssh_data', sshDataObj, (qb) =>
+   qb.where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId)))
+);

- await db.insert(sshData).values(sshDataObj);
+ await EncryptedDBOperations.insert('ssh_data', sshDataObj);
If the exact API differs, call the provided encryptFields helper before persisting.

Also applies to: 381-386, 1228-1228

1025-1058: Use encryption wrapper for credential lookup

resolveHostCredentials still queries ssh_credentials via db.select(). Switch to EncryptedDBOperations.select to get decrypted fields.
- const credentials = await db
-   .select()
-   .from(sshCredentials)
-   .where(...);
+ const credentials = await EncryptedDBOperations.select(
+   db.select().from(sshCredentials).where(...),
+   'ssh_credentials'
+);
1-1248: Harden localhost check and stop writing plaintext secrets to encrypted tables

isLocalhost() relies on req.ip and ignores X-Forwarded-For — behind proxies this is unreliable. Either enable Express trust proxy and validate X-Forwarded-For for trusted proxies, or restrict the internal endpoint to 127.0.0.1 at the server/router binding. Location: src/backend/database/routes/ssh.ts (isLocalhost + GET /db/host/internal).

Several endpoints write directly to ssh_data without using the encryption wrapper (sensitive fields: password, key, keyPassword): POST /db/host (db.insert(sshData).values(...).returning()), PUT /db/host/:id (db.update(sshData).set(...)), POST /bulk-import (db.insert(sshData)). Ensure all writes use EncryptedDBOperations (or encrypt fields before persist) so secrets are not stored plaintext. Location: src/backend/database/routes/ssh.ts.

Audit: run a repo-wide search for db.insert/db.update against sshData and sshCredentials and fix any remaining unwrapped writes.

🧹 Nitpick comments (46)

src/backend/database/db/schema.ts (1)
140-145: Consider increasing key field lengths for future-proofing

The current key field lengths might be insufficient for certain key formats:

RSA-4096 keys can exceed 4096 characters in public key format

Future key formats might require more space

Consider using larger limits or TEXT type without length restrictions for maximum flexibility.
-  key: text("key", { length: 16384 }), // backward compatibility
-  privateKey: text("private_key", { length: 16384 }),
-  publicKey: text("public_key", { length: 4096 }),
+  key: text("key"), // backward compatibility
+  privateKey: text("private_key"),
+  publicKey: text("public_key"),
src/backend/utils/ssh-key-utils.ts (1)
243-248: Remove or reduce verbose debug logging in production

Extensive console logging can impact performance and expose sensitive information in production logs.

Consider using a proper logging framework with configurable log levels:
-  console.log('=== SSH Key Parsing Debug ===');
-  console.log('Key length:', privateKeyData?.length || 'undefined');
-  console.log('First 100 chars:', privateKeyData?.substring(0, 100) || 'undefined');
-  console.log('ssh2Utils available:', typeof ssh2Utils);
-  console.log('parseKey function available:', typeof ssh2Utils?.parseKey);
+  if (process.env.NODE_ENV === 'development') {
+    console.debug('SSH Key Parsing - Key length:', privateKeyData?.length || 'undefined');
+  }
src/backend/database/routes/ssh.ts (2)
419-421: Credential resolution should prefer new private/public key fields

When loading ssh_credentials, prefer privateKey over legacy key, and include detectedKeyType if present. This keeps behavior aligned with the new schema.
- if (credential.key) {
-   baseHost.key = credential.key;
- }
+ const pk = credential.privateKey ?? credential.key;
+ if (pk) baseHost.key = pk;
+ if (credential.keyType) baseHost.keyType = credential.keyType;
+ if (credential.detectedKeyType && !baseHost.keyType) {
+   baseHost.keyType = credential.detectedKeyType;
+ }
Also applies to: 1044-1048

341-359: Update updatedAt on host updates

The update path doesn’t refresh updatedAt. Set it to now to keep timestamps consistent.
const sshDataObj: any = {
   name,
   folder,
   ...
-  defaultPath: defaultPath || null,
+  defaultPath: defaultPath || null,
+  updatedAt: new Date().toISOString(),
};
src/backend/starter.ts (1)

27-32: Consider gating deferred imports on readiness

If initialize() can complete with encryption disabled (e.g., first-run without key), defer importing SSH modules until encryption becomes ready or ensure those modules tolerate a “not-encrypted-yet” state.

src/backend/ssh/server-stats.ts (1)

448-487: Private key handling: normalize and validate

The normalization is good. Consider accepting both legacy key and new privateKey if upstream starts sending the latter, and include an explicit error for encrypted keys without a passphrase.
src/ui/Desktop/Admin/AdminSettings.tsx (3)
85-90: Avoid any for encryptionStatus; add a typed shape

Add a minimal interface for the status payload to retain type safety and avoid runtime typos.
- const [encryptionStatus, setEncryptionStatus] = React.useState<any>(null);
+ interface EncryptionStatus {
+   encryption?: { enabled?: boolean; key?: { hasKey?: boolean; keyId?: string; createdAt?: string; kekProtected?: boolean; kekValid?: boolean } };
+   migration?: { migrationRequired?: boolean; migrationCompleted?: boolean };
+ }
+ const [encryptionStatus, setEncryptionStatus] = React.useState<EncryptionStatus | null>(null);
794-1001: Use theme tokens instead of hardcoded Tailwind colors; add a11y affordances

Replace text-green-600/yellow-600/blue-50/etc. with the app’s CSS variables/classes (e.g., text-success, text-warning, bg-muted, text-muted-foreground) to respect themes and WCAG. Also add aria-live="polite" to the migration progress container.
- <div className="p-3 bg-blue-50 border border-blue-200 rounded-md">
+ <div className="p-3 bg-muted border border-border rounded-md">
- <Lock className="h-4 w-4 text-green-600" />
+ <Lock className="h-4 w-4 text-success" />
- <span className="text-yellow-600">
+ <span className="text-warning">
- <div className="p-3 bg-blue-50 border border-blue-200 rounded-md">
+ <div className="p-3 bg-muted border border-border rounded-md" aria-live="polite">
95-113: Electron URL checks return early but silently; surface feedback

When configuredServerUrl is missing, the effects just return. Add a toast or UI hint so admins know why security settings aren’t loading.

Also applies to: 123-134, 137-158
src/backend/utils/encryption-key-manager.ts (2)
276-281: Use 12‑byte (96‑bit) IV for AES‑GCM validation.

GCM performs best and is standard with a 12‑byte IV. This path is only a self‑test, but aligning costs nothing.
-      const iv = crypto.randomBytes(16);
+      const iv = crypto.randomBytes(12);
33-43: Legacy migration: preserve original key material form in metadata.

You’re converting legacy base64 → hex, then persisting KEK‑protected hex. Consider recording format: 'hex'|'base64'|'kdf' in keyData to aid audits/forensics.

Non‑blocking, but improves operability.

Also applies to: 191-207
SECURITY.md (3)
154-171: Status example doesn’t match the actual API shape.

EncryptionKeyManager.getEncryptionStatus() returns fields like hasKey, keyValid, initialized, kekProtected, kekValid, etc. Update the sample:
-{
-  "encryption": {
-    "enabled": true,
-    "configValid": true,
-    "forceEncryption": false,
-    "migrateOnAccess": true
-  },
-  "migration": {
-    "isEncryptionEnabled": true,
-    "migrationCompleted": true,
-    "migrationDate": "2024-01-15T10:30:00Z"
-  }
-}
+{
+  "hasKey": true,
+  "keyValid": true,
+  "keyId": "abcd1234ef56...",
+  "createdAt": "2025-09-16T02:40:00.000Z",
+  "algorithm": "aes-256-gcm",
+  "initialized": true,
+  "kekProtected": true,
+  "kekValid": true
+}
185-186: Update security warning message to reflect implementation.

Docs mention “not set, using default (INSECURE)”, but code generates a new random key when unset. Reword to avoid implying a static default exists.

192-202: Fix markdownlint MD036: use headings, not emphasis.

Replace emphasized pseudo‑headings with #### headings for “Common Issues,” “Performance issues,” and “Key rotation.”
src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx (4)
90-91: Strong typing: avoid any[] for hosts.

Use the central SSHHost type for availableHosts.
-import { toast } from "sonner";
+import { toast } from "sonner";
+import type { SSHHost } from "@/types/index.js";
@@
-  const [availableHosts, setAvailableHosts] = useState<any[]>([]);
+  const [availableHosts, setAvailableHosts] = useState<SSHHost[]>([]);
128-140: Don’t require publicKey to deploy; let backend derive it if needed.

Blocking deployment when publicKey is missing is unnecessary if the server can derive it from the stored private key. Remove the check to reduce UX friction.
   const handleDeploy = (credential: Credential) => {
     if (credential.authType !== 'key') {
       toast.error("Only SSH key-based credentials can be deployed");
       return;
     }
-    if (!credential.publicKey) {
-      toast.error("Public key is required for deployment");
-      return;
-    }
     setDeployingCredential(credential);
     setSelectedHostId("");
     setShowDeployDialog(true);
   };
142-169: Input validation and cleanup on close.

Ensure selectedHostId parses to a finite number.

Reset transient state when the sheet closes to avoid stale state.
-  const performDeploy = async () => {
+  const performDeploy = async () => {
     if (!deployingCredential || !selectedHostId) {
       toast.error("Please select a target host");
       return;
     }
 
     setDeployLoading(true);
     try {
-      const result = await deployCredentialToHost(
-        deployingCredential.id,
-        parseInt(selectedHostId)
-      );
+      const hostId = Number(selectedHostId);
+      if (!Number.isFinite(hostId)) throw new Error("Invalid host id");
+      const result = await deployCredentialToHost(deployingCredential.id, hostId);
@@
-        setShowDeployDialog(false);
-        setDeployingCredential(null);
-        setSelectedHostId("");
+        setShowDeployDialog(false);
+        setDeployingCredential(null);
+        setSelectedHostId("");
       } else {
         toast.error(result.error || "Deployment failed");
       }
@@
   };
And for the sheet:
-<Sheet open={showDeployDialog} onOpenChange={setShowDeployDialog}>
+<Sheet
+  open={showDeployDialog}
+  onOpenChange={(open) => {
+    setShowDeployDialog(open);
+    if (!open) {
+      setDeployingCredential(null);
+      setSelectedHostId("");
+      setDeployLoading(false);
+    }
+  }}
+>
130-136: Internationalization: hard‑coded English strings.

New UI text (errors, labels, buttons, note content) bypasses i18n. Wrap with t() and add keys.

Examples:
- toast.error("Only SSH key-based credentials can be deployed");
+ toast.error(t("credentials.deploy.onlyKeyCredentials"));
@@
- toast.error("Public key is required for deployment");
+ toast.error(t("credentials.deploy.publicKeyRequired"));
@@
- <p>Deploy SSH key to host</p>
+ <p>{t("credentials.deploy.actionTooltip")}</p>
@@
- <div className="text-xl font-semibold">Deploy SSH Key</div>
+ <div className="text-xl font-semibold">{t("credentials.deploy.title")}</div>
Applies throughout the deploy sheet content.

Also applies to: 155-169, 658-677, 789-926
src/ui/main-axios.ts (3)
176-179: Hard‑coded Electron User‑Agent/version.

"Termix-Electron/1.6.0" will drift. Source the version from a single place (e.g., injected at build time or import.meta.env.VITE_APP_VERSION) to keep logs consistent.
-      config.headers["User-Agent"] = "Termix-Electron/1.6.0";
+      config.headers["User-Agent"] = `Termix-Electron/${import.meta.env.VITE_APP_VERSION ?? "unknown"}`;
1509-1510: Consistent error propagation style.

You’re using throw handleApiError(...) in several places, while elsewhere you just call handleApiError(...) (which already throws). Drop the extra throw for consistency and clarity.
-  } catch (error) {
-    throw handleApiError(error, "fetch credentials");
-  }
+  } catch (error) {
+    handleApiError(error, "fetch credentials");
+  }
Apply similarly to the other wrappers listed in the ranges.

Also applies to: 1518-1519, 1527-1528, 1542-1543, 1551-1552, 1597-1599, 1607-1609, 1623-1624, 1666-1668, 1681-1682, 1694-1695, 1711-1712, 1726-1727, 1743-1744, 1758-1759

1730-1745: Prefer specific response types over any.

For generateKeyPair/friends, define response shapes (e.g., { success: boolean; privateKey?: string; publicKey?: string; error?: string }) to strengthen type safety across UI callers.
src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx (4)
51-56: Use ReturnType<typeof setTimeout> for browser timers.

NodeJS.Timeout can be wrong in DOM builds. Safer typing:
-  const keyDetectionTimeoutRef = useRef<NodeJS.Timeout | null>(null);
+  const keyDetectionTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
@@
-  const publicKeyDetectionTimeoutRef = useRef<NodeJS.Timeout | null>(null);
+  const publicKeyDetectionTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
Also applies to: 220-231, 256-265, 290-299

103-128: Tighten Zod schema for key/publicKey types.

key is any but you treat it as string | File. Make this explicit; also default publicKey to empty string or undefined, not both.
-      key: z.any().optional().nullable(),
-      publicKey: z.string().optional(),
+      key: z.union([z.string(), z.instanceof(File)]).optional().nullable(),
+      publicKey: z.string().trim().min(1).optional(),
Adjust defaults accordingly if you want "" vs undefined.

Also applies to: 151-166

173-201: Avoid arbitrary setTimeout before form.reset.

The 100ms delay can race and cause flaky UX. Reset immediately after fetching details; React Hook Form can handle it without a delay.
-      setTimeout(() => {
-        const formData = { ... };
-        form.reset(formData);
-        setTagInput("");
-      }, 100);
+      const formData = { ... };
+      form.reset(formData);
+      setTagInput("");
696-784: Harden key generation flows with typed responses and error details.

UI assumes { success, privateKey, publicKey, error }. Define/consume a typed response to avoid runtime checks and surface backend error messages consistently in toasts.

Also applies to: 903-935
src/backend/utils/encryption.ts (3)
22-25: Use 12‑byte IVs for AES‑GCM (performance/interop).

GCM performs best and is most interoperable with a 96‑bit IV. Using 16 bytes is allowed but slower and can surprise future consumers.

Apply this diff:
-    ivLength: 16,
+    ivLength: 12,
61-63: Always encrypt; don’t special‑case empty plaintext.

Returning empty fields breaks detection and health checks. Let AES‑GCM run even for empty strings.

Apply this diff:
-  static encrypt(plaintext: string, key: Buffer): EncryptedData {
-    if (!plaintext) return { data: '', iv: '', tag: '' };
+  static encrypt(plaintext: string, key: Buffer): EncryptedData {
127-129: Dead code: generateSalt() is unused.

Either remove it or plumb it into per‑record keying if you plan to store per‑value salts.

Apply this diff to remove if not used:
-  static generateSalt(): string {
-    return crypto.randomBytes(this.CONFIG.saltLength).toString('hex');
-  }
src/backend/utils/encryption-test.ts (3)
115-122: Await async initialization to avoid races.

initialize() is async; even with provided masterPassword, future async inits could slip. Safer to await.

Apply this diff:
-    DatabaseEncryption.initialize({
+    await DatabaseEncryption.initialize({
       masterPassword: this.testPassword,
       encryptionEnabled: true,
       forceEncryption: false,
       migrateOnAccess: true
     });
226-251: Production validator should await initialize().

Same reasoning as above; ensures status is read after init.

Apply this diff:
-      DatabaseEncryption.initialize({
+      await DatabaseEncryption.initialize({
         masterPassword: encryptionKey,
         encryptionEnabled: true
       });
176-197: Error message assertion is brittle.

String‑matching on error messages is fragile. Prefer checking error type or a stable prefix you control.

Example:
-    } catch (error) {
-      if (!error || !(error as Error).message.includes('decryption failed')) {
+    } catch (error) {
+      if (!(error instanceof Error) || !/^Field decryption failed:/i.test(error.message)) {
         throw new Error('Should throw appropriate decryption error');
       }
     }
src/backend/utils/master-key-protection.ts (2)
184-191: isProtectedKey validation is permissive.

Only checks property presence; add basic type/length checks to reduce false positives.

Apply this diff:
-      return !!(parsed.data && parsed.iv && parsed.tag && parsed.version && parsed.fingerprint);
+      return typeof parsed.data === 'string'
+        && typeof parsed.iv === 'string' && parsed.iv.length >= 24
+        && typeof parsed.tag === 'string' && parsed.tag.length >= 16
+        && parsed.version === this.VERSION
+        && typeof parsed.fingerprint === 'string' && parsed.fingerprint.length >= 8;
126-133: Minimize sensitive fingerprint logging.

Even prefixes can aid tracking. Consider downgrading to debug or removing.
src/backend/utils/database-encryption.ts (3)
41-73: Encrypt only string fields; guard non‑string values.

If a flagged field ever holds non‑string data, casting can throw. Add a typeof check and stringify policy.

Apply this diff:
-      if (FieldEncryption.shouldEncryptField(tableName, fieldName) && value) {
+      if (FieldEncryption.shouldEncryptField(tableName, fieldName) && value != null) {
         try {
           const fieldKey = FieldEncryption.getFieldKey(context.masterPassword, `${tableName}.${fieldName}`);
-          encryptedRecord[fieldName] = FieldEncryption.encryptField(value as string, fieldKey);
+          if (typeof value === 'string') {
+            encryptedRecord[fieldName] = FieldEncryption.encryptField(value, fieldKey);
+          } else {
+            // Serialize deterministically before encrypting
+            encryptedRecord[fieldName] = FieldEncryption.encryptField(JSON.stringify(value), fieldKey);
+          }
75-130: Decryption path should mirror serialization choice.

If you serialize non‑strings for encryption, parse them back (when JSON).

Apply this diff:
-          if (FieldEncryption.isEncrypted(value as string)) {
-            decryptedRecord[fieldName] = FieldEncryption.decryptField(value as string, fieldKey);
+          if (typeof value === 'string' && FieldEncryption.isEncrypted(value)) {
+            const plain = FieldEncryption.decryptField(value, fieldKey);
+            // Try to parse JSON; fall back to raw
+            try {
+              decryptedRecord[fieldName] = JSON.parse(plain);
+            } catch {
+              decryptedRecord[fieldName] = plain;
+            }
125-129: Migrate decrypted values, not original record.

Passing the original record may miss transforms applied during decryption. Use decryptedRecord.

Apply this diff:
-      this.scheduleFieldMigration(tableName, record);
+      this.scheduleFieldMigration(tableName, decryptedRecord);
src/backend/utils/encrypted-db-operations.ts (4)
60-76: selectOne() should handle array or single‑row results.

Drizzle queries may return [] or a row depending on usage.

Apply this diff:
-      const result = await query;
-      if (!result) return undefined;
-
-      const decryptedResult = DatabaseEncryption.decryptRecord(tableName, result);
+      const result = await query;
+      if (!result) return undefined;
+      const row = Array.isArray(result) ? result[0] : result;
+      if (!row) return undefined;
+      const decryptedResult = DatabaseEncryption.decryptRecord(tableName, row);
145-163: Switch‑case declarations leak across clauses (Biome noSwitchDeclarations).

Wrap each case in a block to scope declarations.

Apply this diff:
       switch (tableName) {
         case 'users':
-          const { users } = await import('../database/db/schema.js');
-          table = users;
-          records = await db.select().from(users);
+          {
+            const { users } = await import('../database/db/schema.js');
+            table = users;
+            records = await db.select().from(users);
+          }
           break;
         case 'ssh_data':
-          const { sshData } = await import('../database/db/schema.js');
-          table = sshData;
-          records = await db.select().from(sshData);
+          {
+            const { sshData } = await import('../database/db/schema.js');
+            table = sshData;
+            records = await db.select().from(sshData);
+          }
           break;
         case 'ssh_credentials':
-          const { sshCredentials } = await import('../database/db/schema.js');
-          table = sshCredentials;
-          records = await db.select().from(sshCredentials);
+          {
+            const { sshCredentials } = await import('../database/db/schema.js');
+            table = sshCredentials;
+            records = await db.select().from(sshCredentials);
+          }
           break;
169-173: Avoid importing eq() inside a hot loop.

Hoist the import once for performance and clarity.

Apply this diff:
-            const { eq } = await import('drizzle-orm');
-            await db.update(table).set(migratedRecord).where(eq((table as any).id, record.id));
+            const { eq } = await import('drizzle-orm');
+            await db.update(table).set(migratedRecord).where(eq((table as any).id, record.id));
Move the import('drizzle-orm') outside the loop:
-      for (const record of records) {
+      const { eq } = await import('drizzle-orm');
+      for (const record of records) {
36-51: Decrypt query results defensively.

If query resolves to undefined/null, current code passes it to decryptRecords (which expects arrays). You guard already with try/catch, but add a nullish coalesce for safety.

Apply this diff:
-      const decryptedResults = DatabaseEncryption.decryptRecords(tableName, results);
+      const decryptedResults = DatabaseEncryption.decryptRecords(tableName, results ?? []);
unified_key_section.tsx (3)
33-34: Silent error handling masks failures.

File read errors are only logged to console, which won't be visible to users in production. Users need feedback when file operations fail.

Consider showing user-friendly error messages using your notification system instead of just console.error.

85-91: Consider using the centralized color system.

The component uses inline color classes like text-green-600 and text-destructive. Consider using CSS variables from your established color token system for consistency.
-                            <span className={`font-medium ${
-                              detectedKeyType === 'invalid' || detectedKeyType === 'error'
-                                ? 'text-destructive'
-                                : 'text-green-600'
-                            }`}>
+                            <span className={`font-medium ${
+                              detectedKeyType === 'invalid' || detectedKeyType === 'error'
+                                ? 'text-destructive'
+                                : 'text-success'
+                            }`}>
145-145: Inconsistent file accept attribute.

Public key upload accepts * while it should be more restrictive like the private key input.
-                                      accept="*,.pub,.txt"
+                                      accept=".pub,.txt"
src/backend/utils/encryption-migration.ts (1)
268-278: Test encryption uses predictable data.

The test encryption uses Date.now() which is predictable and could be insufficient for security validation.
-      const testData = `test-data-${Date.now()}`;
+      const crypto = await import('crypto');
+      const testData = `test-data-${crypto.randomBytes(16).toString('hex')}`;
src/backend/database/routes/credentials.ts (2)
15-58: SSH key generation lacks proper error handling for unsupported key types.

The function silently falls back to defaults for unsupported key types without validation.

Add validation for supported key types:
   try {
+    const supportedTypes = ['ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256'];
+    if (!supportedTypes.includes(keyType)) {
+      return {
+        success: false,
+        error: `Unsupported key type: ${keyType}`
+      };
+    }
+
     // Convert our keyType to ssh2 format
1131-1134: Connection timeout might be too long.

30-second timeout for SSH connections could tie up resources. Consider making it configurable.
-    }, 30000);
+    }, parseInt(process.env.SSH_DEPLOY_TIMEOUT || '10000'));

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0f75cd4d16 and 0839cb4134.

⛔ Files ignored due to path filters (3)

package.json is excluded by !**/*.json
src/locales/en/translation.json is excluded by !**/*.json
src/locales/zh/translation.json is excluded by !**/*.json

📒 Files selected for processing (24)

SECURITY.md (1 hunks)
src/backend/database/database.ts (4 hunks)
src/backend/database/db/index.ts (1 hunks)
src/backend/database/db/schema.ts (1 hunks)
src/backend/database/routes/credentials.ts (9 hunks)
src/backend/database/routes/ssh.ts (2 hunks)
src/backend/ssh/server-stats.ts (4 hunks)
src/backend/ssh/terminal.ts (1 hunks)
src/backend/ssh/tunnel.ts (2 hunks)
src/backend/starter.ts (2 hunks)
src/backend/utils/database-encryption.ts (1 hunks)
src/backend/utils/encrypted-db-operations.ts (1 hunks)
src/backend/utils/encryption-key-manager.ts (1 hunks)
src/backend/utils/encryption-migration.ts (1 hunks)
src/backend/utils/encryption-test.ts (1 hunks)
src/backend/utils/encryption.ts (1 hunks)
src/backend/utils/master-key-protection.ts (1 hunks)
src/backend/utils/ssh-key-utils.ts (1 hunks)
src/types/index.ts (2 hunks)
src/ui/Desktop/Admin/AdminSettings.tsx (6 hunks)
src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx (10 hunks)
src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx (6 hunks)
src/ui/main-axios.ts (9 hunks)
unified_key_section.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

⚙️ CodeRabbit configuration file

**/*.{ts,tsx}: Review TypeScript and React code for Termix server management platform. Key considerations:

Architecture & Patterns:

Follow the established multi-port backend architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085)

Use proper separation between Desktop and Mobile UI components

Maintain consistent state management patterns with React hooks and context

Follow the established tab-based navigation system

Database & Backend:

Use Drizzle ORM with SQLite for database operations

Implement proper JWT authentication middleware patterns

Follow the established API error handling patterns in main-axios.ts

Use proper logging with the structured logger system (apiLogger, authLogger, sshLogger, etc.)

Maintain proper input validation and sanitization

UI/UX Guidelines:

Use Shadcn/UI components with Tailwind CSS for consistent styling

Follow the established theme system with dark/light mode support

Use proper responsive design patterns for Desktop/Mobile views

Implement proper loading states and error handling

Use the established confirmation patterns with useConfirmation hook

Use CSS variables and classes from index.css instead of hardcoding colors

Follow the established color token system (--primary, --secondary, --background, etc.)

Use proper Tailwind CSS classes instead of inline styles

Implement proper focus states and accessibility indicators

SSH & Security:

Implement proper SSH connection management with session handling

Use secure credential storage and management patterns

Follow the established authentication flow (password, key, credential-based)

Implement proper file operation security and validation

Code Quality:

Use proper TypeScript types from the centralized types/index.ts

Follow the established API patterns in main-axios.ts

Implement proper error boundaries and fallback UI

Use proper React patterns (hooks, context, refs)

Maintain consistent naming conventions...

Files:

src/backend/database/db/index.ts
src/types/index.ts
src/backend/ssh/terminal.ts
src/backend/ssh/tunnel.ts
src/backend/utils/ssh-key-utils.ts
src/backend/utils/master-key-protection.ts
src/backend/utils/encryption-migration.ts
src/backend/utils/encryption.ts
src/backend/ssh/server-stats.ts
src/ui/Desktop/Admin/AdminSettings.tsx
unified_key_section.tsx
src/backend/database/db/schema.ts
src/backend/utils/database-encryption.ts
src/backend/utils/encryption-test.ts
src/backend/starter.ts
src/backend/utils/encrypted-db-operations.ts
src/backend/database/routes/ssh.ts
src/backend/database/database.ts
src/ui/main-axios.ts
src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx
src/backend/utils/encryption-key-manager.ts
src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx
src/backend/database/routes/credentials.ts

**/backend/**/*.{ts,js}

⚙️ CodeRabbit configuration file

**/backend/**/*.{ts,js}: Review backend code for Termix server management platform. Key considerations:

Backend Architecture:

Follow the multi-port microservice architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085)

Use Express.js with proper middleware patterns

Implement proper CORS and security headers

Use proper request/response logging with structured logging

Database Operations:

Use Drizzle ORM with proper schema definitions

Implement proper database migrations and schema updates

Use proper transaction handling for critical operations

Follow the established database connection patterns

Authentication & Security:

Implement proper JWT token validation and refresh

Use bcryptjs for password hashing with proper salt rounds

Implement proper input validation and sanitization

Use proper CORS configuration for security

Implement proper rate limiting and security headers

SSH Operations:

Use ssh2 library with proper connection management

Implement proper SSH key handling and validation

Use proper session management and cleanup

Implement proper error handling for SSH operations

Use proper file operation security and validation

API Design:

Follow RESTful API patterns with proper HTTP status codes

Implement proper error response formatting

Use proper request/response validation

Implement proper API versioning and backward compatibility

All API routes should be defined in main-axios.ts, not scattered across components

Use the established multi-port API architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085)

Follow the established error handling patterns with handleApiError function

Use proper structured logging with service-specific loggers (apiLogger, authLogger, sshLogger, etc.)

Logging & Monitoring:

Use the structured logging system with proper context

Implement proper error tracking and reporting

Use proper performance monitoring and metrics

Impleme...

Files:

src/backend/database/db/index.ts
src/backend/ssh/terminal.ts
src/backend/ssh/tunnel.ts
src/backend/utils/ssh-key-utils.ts
src/backend/utils/master-key-protection.ts
src/backend/utils/encryption-migration.ts
src/backend/utils/encryption.ts
src/backend/ssh/server-stats.ts
src/backend/database/db/schema.ts
src/backend/utils/database-encryption.ts
src/backend/utils/encryption-test.ts
src/backend/starter.ts
src/backend/utils/encrypted-db-operations.ts
src/backend/database/routes/ssh.ts
src/backend/database/database.ts
src/backend/utils/encryption-key-manager.ts
src/backend/database/routes/credentials.ts

**/types/**/*.{ts,js}

⚙️ CodeRabbit configuration file

**/types/**/*.{ts,js}: Review type definitions for Termix server management platform. Key considerations:

Type Design:

Use proper TypeScript interfaces and type definitions

Implement proper type safety and validation

Use proper generic types and utility types

Follow the established type naming conventions

API Types:

Define proper request/response types for all API endpoints

Use proper error types and status codes

Implement proper validation types and schemas

Use proper pagination and filtering types

SSH Types:

Define proper SSH connection and configuration types

Use proper tunnel and credential types

Implement proper file operation types

Use proper authentication and security types

Type Safety:

Ensure proper type coverage and completeness

Use proper strict type checking

Implement proper type narrowing and guards

Use proper type assertions and casting

Highlight any type safety issues, missing types, or type inconsistencies.

Files:

src/types/index.ts

**/*.md

⚙️ CodeRabbit configuration file

**/*.md: Review documentation files for Termix server management platform. Key considerations:

Documentation Quality:

Ensure proper grammar, spelling, and clarity

Use proper formatting and structure

Implement proper code examples and snippets

Follow the established documentation standards

Content Accuracy:

Ensure proper technical accuracy and completeness

Use proper up-to-date information and examples

Implement proper cross-references and links

Use proper version and compatibility information

User Experience:

Ensure proper user-friendly language and explanations

Use proper step-by-step instructions and guides

Implement proper troubleshooting and FAQ sections

Use proper visual aids and diagrams where appropriate

Highlight any documentation issues, inaccuracies, or missing information.

Files:

SECURITY.md

**/main-axios.ts

⚙️ CodeRabbit configuration file

**/main-axios.ts: Review main-axios.ts API client configuration for Termix server management platform. Key considerations:

API Client Architecture:

Maintain the multi-port API architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085)

Use proper service-specific API instances (sshHostApi, tunnelApi, fileManagerApi, statsApi, authApi)

Implement proper API instance creation with createApiInstance function

Use proper base URL configuration for different environments (dev, production, Electron)

Error Handling:

Use the centralized handleApiError function for consistent error handling

Implement proper error classification (auth, network, validation, server errors)

Use proper error logging with service-specific loggers

Implement proper error response formatting and user-friendly messages

Request/Response Interceptors:

Implement proper JWT token handling in request interceptors

Use proper request timing and performance logging

Implement proper response logging and error tracking

Use proper authentication token refresh and cleanup

API Function Organization:

Group API functions by service (SSH Host Management, Tunnel Management, File Manager, etc.)

Use proper TypeScript types for all API functions

Implement proper parameter validation and sanitization

Use proper return type definitions and error handling

Authentication:

Implement proper JWT token management and refresh

Use proper cookie handling for web and Electron environments

Implement proper authentication state management

Use proper token expiration and cleanup

Logging:

Use proper structured logging with context and metadata

Implement proper request/response logging with performance metrics

Use proper error logging with appropriate log levels

Implement proper service-specific logger selection

Performance:

Implement proper request timeout and retry logic

Use proper connection pooling and resource management

Implement pr...

Files:

src/ui/main-axios.ts

🧬 Code graph analysis (16)

src/backend/utils/ssh-key-utils.ts (1)

src/ui/main-axios.ts (2)

detectKeyType (1670-1683)

validateKeyPair (1698-1713)

src/backend/utils/master-key-protection.ts (1)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/backend/utils/encryption-migration.ts (3)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/backend/database/db/index.ts (1)

db (311-311)

src/backend/database/db/schema.ts (3)

settings (28-31)

sshData (33-70)

sshCredentials (128-154)

src/backend/ssh/server-stats.ts (3)

src/backend/utils/encrypted-db-operations.ts (1)

EncryptedDBOperations (213-213)

src/backend/database/db/index.ts (1)

db (311-311)

src/backend/database/db/schema.ts (2)

sshData (33-70)

sshCredentials (128-154)

src/ui/Desktop/Admin/AdminSettings.tsx (1)

src/ui/main-axios.ts (2)

isElectron (87-92)

getCookie (119-130)

unified_key_section.tsx (1)

src/backend/utils/ssh-key-utils.ts (1)

getFriendlyKeyTypeName (411-425)

src/backend/utils/database-encryption.ts (3)

src/backend/utils/encryption-key-manager.ts (1)

EncryptionKeyManager (322-322)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/backend/utils/encryption.ts (1)

FieldEncryption (142-142)

src/backend/starter.ts (1)

src/backend/utils/database-encryption.ts (1)

DatabaseEncryption (251-251)

src/backend/utils/encrypted-db-operations.ts (3)

src/backend/database/db/index.ts (1)

db (311-311)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/backend/database/db/schema.ts (3)

users (4-26)

sshData (33-70)

sshCredentials (128-154)

src/backend/database/routes/ssh.ts (3)

src/backend/utils/encrypted-db-operations.ts (1)

EncryptedDBOperations (213-213)

src/backend/database/db/index.ts (1)

db (311-311)

src/backend/database/db/schema.ts (1)

sshData (33-70)

src/backend/database/database.ts (2)

src/backend/utils/encryption-migration.ts (1)

initializeEncryption (129-149)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/ui/main-axios.ts (1)

src/backend/utils/ssh-key-utils.ts (2)

detectKeyType (396-406)

validateKeyPair (430-527)

src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx (2)

src/types/index.ts (1)

Credential (63-80)

src/ui/main-axios.ts (2)

getSSHHosts (591-598)

deployCredentialToHost (1747-1760)

src/backend/utils/encryption-key-manager.ts (3)

src/backend/utils/logger.ts (1)

databaseLogger (164-164)

src/backend/database/db/index.ts (1)

db (311-311)

src/backend/database/db/schema.ts (1)

settings (28-31)

src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx (3)

src/ui/main-axios.ts (4)

detectKeyType (1670-1683)

detectPublicKeyType (1685-1696)

generateKeyPair (1730-1745)

generatePublicKeyFromPrivate (1715-1728)

src/backend/utils/ssh-key-utils.ts (2)

detectKeyType (396-406)

getFriendlyKeyTypeName (411-425)

src/components/ui/password-input.tsx (1)

PasswordInput (11-39)

src/backend/database/routes/credentials.ts (4)

src/backend/utils/ssh-key-utils.ts (3)

parseSSHKey (242-363)

parsePublicKey (368-391)

validateKeyPair (430-527)

src/backend/database/db/schema.ts (2)

sshCredentials (128-154)

sshData (33-70)

src/backend/database/db/index.ts (1)

db (311-311)

src/ui/main-axios.ts (1)

validateKeyPair (1698-1713)

🪛 markdownlint-cli2 (0.17.2)

SECURITY.md

192-192: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

197-197: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

202-202: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🪛 Gitleaks (8.27.2)

src/backend/utils/ssh-key-utils.ts

[high] 10-31: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

[high] 64-67: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

[high] 70-75: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

[high] 79-148: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🪛 Biome (2.1.2)

src/backend/utils/encrypted-db-operations.ts

[error] 147-147: Other switch clauses can erroneously access this declaration.
Wrap the declaration in a block to restrict its access to the switch clause.

The declaration is defined in this switch clause:

Safe fix: Wrap the declaration in a block.

(lint/correctness/noSwitchDeclarations)

[error] 152-152: Other switch clauses can erroneously access this declaration.
Wrap the declaration in a block to restrict its access to the switch clause.

The declaration is defined in this switch clause:

Safe fix: Wrap the declaration in a block.

(lint/correctness/noSwitchDeclarations)

[error] 157-157: Other switch clauses can erroneously access this declaration.
Wrap the declaration in a block to restrict its access to the switch clause.

The declaration is defined in this switch clause:

Safe fix: Wrap the declaration in a block.

(lint/correctness/noSwitchDeclarations)

🔇 Additional comments (18)

src/types/index.ts (1)

73-73: LGTM! Well-structured type addition

The addition of the optional publicKey field to both Credential and CredentialData interfaces is clean and maintains backward compatibility.

src/backend/ssh/tunnel.ts (1)

458-458: Good backward compatibility approach

The implementation correctly prefers the new privateKey field while maintaining backward compatibility with the existing key field.

src/backend/ssh/terminal.ts (1)

194-194: Consistent implementation with tunnel.ts

Good consistency in preferring the new privateKey field while maintaining backward compatibility, matching the pattern used in tunnel.ts.

src/backend/utils/ssh-key-utils.ts (2)

279-290: Resolved — SSH public key formatting is handled

parsedKey.getPublicSSH() is checked and, when it returns a Buffer, the code base64-encodes the buffer and prefixes it with the key type (producing "keytype base64data") — implemented in src/backend/utils/ssh-key-utils.ts and src/backend/database/routes/credentials.ts. No change required.

1-3: Verify ssh2 import compatibility

Two files use a default import from 'ssh2' while the rest use named imports — this can break depending on project module settings (no package.json/tsconfig found to confirm esModuleInterop/allowSyntheticDefaultImports or "type"). Affected files: src/backend/utils/ssh-key-utils.ts, src/backend/database/routes/credentials.ts. Make imports consistent: either enable esModuleInterop/allowSyntheticDefaultImports (and confirm package.json "type") or switch to named imports (import { utils, Client } from 'ssh2') / use require().

src/backend/database/db/index.ts (1)

253-257: SSH credentials columns added — aligns with encrypted model

Adding private_key, public_key, and detected_key_type is consistent with the new encrypted credentials workflow and the Drizzle schema. No issues with idempotent addColumnIfNotExists usage.

If not already done in schema.ts migrations elsewhere, confirm that any code reading credentials prefers private_key over legacy key where both exist, to avoid ambiguity post‑migration.

src/backend/database/routes/ssh.ts (1)

16-16: Good: encryption layer imported where needed

Importing EncryptedDBOperations here is the right direction.

src/backend/starter.ts (1)

21-26: Init order: encryption before SSH subsystems — good

Initializing DatabaseEncryption before loading terminal/tunnel/file-manager/stats modules matches the new security model.

Confirm DatabaseEncryption.initialize() fails fast (process exit) if KEK/key material is corrupted to avoid starting dependent services in a partial state.

src/backend/ssh/server-stats.ts (1)

309-314: Good: all DB reads now go through EncryptedDBOperations

Hosts and credential lookups are decrypted consistently.

Also applies to: 340-343, 390-396

SECURITY.md (1)

197-201: Avoid unsubstantiated performance claims.

“Encryption adds ~1ms per operation” needs a reference or a benchmark caveat (hardware/workload dependent). Add a note or remove the figure.

src/backend/utils/encryption.ts (1)

27-31: Confirm encrypted field registry is complete and consistent with schema.

Fields look aligned with schema, including ssh_credentials.privateKey/publicKey. Please confirm no other sensitive fields (e.g., users.client_id, issuer_url) require at-rest encryption per your threat model.

src/backend/utils/database-encryption.ts (1)

188-204: Config validation: cover empty‑string edge case.

Given encrypting empty strings now produces valid objects, ensure the self‑test isn’t affected by sentinel logic elsewhere.

unified_key_section.tsx (2)

69-69: LGTM! Proper controlled component handling.

Good implementation of controlled textarea with proper type checking for the field value.

240-264: LGTM! Well-structured public key generation UI.

The conditional rendering and loading states are properly handled, with clear user feedback through the generatePublicKeyNote.

src/backend/database/database.ts (1)

260-275: LGTM! Well-structured status endpoint.

Good separation of concerns between encryption status and migration status, with proper error handling.

src/backend/utils/encryption-migration.ts (1)

358-370: LGTM! Smart encryption detection heuristic.

Good implementation of encryption detection that checks for both JSON format and base64 characteristics.

src/backend/database/routes/credentials.ts (2)

198-203: LGTM! Proper use of encrypted DB operations.

Good integration with EncryptedDBOperations for secure credential storage.

1344-1345: Good backward compatibility handling.

The code properly handles both the new privateKey field and the legacy key field.

**Actionable comments posted: 28** > [!CAUTION] > Some comments are outside the diff and can’t be posted inline due to platform limitations. > > > > <details> > <summary>⚠️ Outside diff range comments (7)</summary><blockquote> > > <details> > <summary>src/backend/ssh/tunnel.ts (2)</summary><blockquote> > > `621-626`: **Security: Avoid echoing sensitive SSH keys in shell commands** > > Writing the SSH key directly in the shell command exposes it in process listings and shell history. This is a security vulnerability. > > Consider using ssh2's native connection forwarding instead of executing shell commands: > ```diff > - const keyFilePath = `/tmp/tunnel_key_${tunnelName.replace(/[^a-zA-Z0-9]/g, "_")}`; > - tunnelCmd = `echo '${resolvedEndpointCredentials.sshKey}' > ${keyFilePath} && chmod 600 ${keyFilePath} && ssh -i ${keyFilePath} -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker} && rm -f ${keyFilePath}`; > + // Use ssh2's forwardOut method instead of shell commands > + // This avoids exposing keys in process listings > ``` > Alternatively, write the key to a file using Node.js fs module with proper permissions before executing the SSH command. > > --- > > `625-625`: **Security: Command injection vulnerability with password** > > Using password directly in shell command with `sshpass` is vulnerable to command injection if the password contains special characters. > > The password needs to be properly escaped: > ```diff > - tunnelCmd = `sshpass -p '${resolvedEndpointCredentials.password || ""}' ssh -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker}`; > + // Escape password to prevent command injection > + const escapedPassword = (resolvedEndpointCredentials.password || "").replace(/'/g, "'\\''"); > + tunnelCmd = `sshpass -p '${escapedPassword}' ssh -N -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R ${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort} ${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP} ${tunnelMarker}`; > ``` > Consider using ssh2's native forwarding capabilities instead of shell commands for better security. > > </blockquote></details> > <details> > <summary>src/backend/database/routes/ssh.ts (5)</summary><blockquote> > > `44-45`: **Insecure JWT secret fallback ("secret")** > > Defaulting to 'secret' enables trivial token forgery in misconfigured environments. Make JWT_SECRET mandatory at startup and fail fast if missing. > > > ```diff > - const jwtSecret = process.env.JWT_SECRET || "secret"; > + const jwtSecret = process.env.JWT_SECRET; > + if (!jwtSecret) { > + sshLogger.error("JWT_SECRET not set"); > + return res.status(500).json({ error: "Server misconfiguration" }); > + } > ``` > > --- > > `61-64`: **"Internal" endpoint can be accessed remotely with a spoofable header** > > Allowing x-internal-request: 1 to bypass localhost check defeats the purpose of an internal-only unauthenticated endpoint. Restrict strictly to loopback and/or require a strong shared secret (env) or remove the header bypass. > > > ```diff > - if (!isLocalhost(req) && req.headers["x-internal-request"] !== "1") { > + if (!isLocalhost(req)) { > ``` > Optionally add: verify X-Internal-Secret === process.env.INTERNAL_API_SECRET. > > --- > > `201-203`: **Sensitive writes bypass encryption on ssh_data** > > In POST /db/host, PUT /db/host/:id, and bulk-import, inserts/updates go directly to ssh_data. This stores password/key in plaintext if encryption is enabled. Wrap writes with the encryption layer. > > > ```diff > - const result = await db.insert(sshData).values(sshDataObj).returning(); > + const result = await EncryptedDBOperations.insert('ssh_data', sshDataObj); > > - await db.update(sshData).set(sshDataObj).where(...); > + await EncryptedDBOperations.update('ssh_data', sshDataObj, (qb) => > + qb.where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId))) > +); > > - await db.insert(sshData).values(sshDataObj); > + await EncryptedDBOperations.insert('ssh_data', sshDataObj); > ``` > If the exact API differs, call the provided encryptFields helper before persisting. > > > Also applies to: 381-386, 1228-1228 > > --- > > `1025-1058`: **Use encryption wrapper for credential lookup** > > resolveHostCredentials still queries ssh_credentials via db.select(). Switch to EncryptedDBOperations.select to get decrypted fields. > > ```diff > - const credentials = await db > - .select() > - .from(sshCredentials) > - .where(...); > + const credentials = await EncryptedDBOperations.select( > + db.select().from(sshCredentials).where(...), > + 'ssh_credentials' > +); > ``` > > --- > > `1-1248`: **Harden localhost check and stop writing plaintext secrets to encrypted tables** > > - isLocalhost() relies on req.ip and ignores X-Forwarded-For — behind proxies this is unreliable. Either enable Express trust proxy and validate X-Forwarded-For for trusted proxies, or restrict the internal endpoint to 127.0.0.1 at the server/router binding. Location: src/backend/database/routes/ssh.ts (isLocalhost + GET /db/host/internal). > > - Several endpoints write directly to ssh_data without using the encryption wrapper (sensitive fields: password, key, keyPassword): POST /db/host (db.insert(sshData).values(...).returning()), PUT /db/host/:id (db.update(sshData).set(...)), POST /bulk-import (db.insert(sshData)). Ensure all writes use EncryptedDBOperations (or encrypt fields before persist) so secrets are not stored plaintext. Location: src/backend/database/routes/ssh.ts. > > - Audit: run a repo-wide search for db.insert/db.update against sshData and sshCredentials and fix any remaining unwrapped writes. > > </blockquote></details> > > </blockquote></details> <details> <summary>🧹 Nitpick comments (46)</summary><blockquote> <details> <summary>src/backend/database/db/schema.ts (1)</summary><blockquote> `140-145`: **Consider increasing key field lengths for future-proofing** The current key field lengths might be insufficient for certain key formats: - RSA-4096 keys can exceed 4096 characters in public key format - Future key formats might require more space Consider using larger limits or TEXT type without length restrictions for maximum flexibility. ```diff - key: text("key", { length: 16384 }), // backward compatibility - privateKey: text("private_key", { length: 16384 }), - publicKey: text("public_key", { length: 4096 }), + key: text("key"), // backward compatibility + privateKey: text("private_key"), + publicKey: text("public_key"), ``` </blockquote></details> <details> <summary>src/backend/utils/ssh-key-utils.ts (1)</summary><blockquote> `243-248`: **Remove or reduce verbose debug logging in production** Extensive console logging can impact performance and expose sensitive information in production logs. Consider using a proper logging framework with configurable log levels: ```diff - console.log('=== SSH Key Parsing Debug ==='); - console.log('Key length:', privateKeyData?.length || 'undefined'); - console.log('First 100 chars:', privateKeyData?.substring(0, 100) || 'undefined'); - console.log('ssh2Utils available:', typeof ssh2Utils); - console.log('parseKey function available:', typeof ssh2Utils?.parseKey); + if (process.env.NODE_ENV === 'development') { + console.debug('SSH Key Parsing - Key length:', privateKeyData?.length || 'undefined'); + } ``` </blockquote></details> <details> <summary>src/backend/database/routes/ssh.ts (2)</summary><blockquote> `419-421`: **Credential resolution should prefer new private/public key fields** When loading ssh_credentials, prefer privateKey over legacy key, and include detectedKeyType if present. This keeps behavior aligned with the new schema. ```diff - if (credential.key) { - baseHost.key = credential.key; - } + const pk = credential.privateKey ?? credential.key; + if (pk) baseHost.key = pk; + if (credential.keyType) baseHost.keyType = credential.keyType; + if (credential.detectedKeyType && !baseHost.keyType) { + baseHost.keyType = credential.detectedKeyType; + } ``` Also applies to: 1044-1048 --- `341-359`: **Update updatedAt on host updates** The update path doesn’t refresh updatedAt. Set it to now to keep timestamps consistent. ```diff const sshDataObj: any = { name, folder, ... - defaultPath: defaultPath || null, + defaultPath: defaultPath || null, + updatedAt: new Date().toISOString(), }; ``` </blockquote></details> <details> <summary>src/backend/starter.ts (1)</summary><blockquote> `27-32`: **Consider gating deferred imports on readiness** If initialize() can complete with encryption disabled (e.g., first-run without key), defer importing SSH modules until encryption becomes ready or ensure those modules tolerate a “not-encrypted-yet” state. </blockquote></details> <details> <summary>src/backend/ssh/server-stats.ts (1)</summary><blockquote> `448-487`: **Private key handling: normalize and validate** The normalization is good. Consider accepting both legacy key and new privateKey if upstream starts sending the latter, and include an explicit error for encrypted keys without a passphrase. </blockquote></details> <details> <summary>src/ui/Desktop/Admin/AdminSettings.tsx (3)</summary><blockquote> `85-90`: **Avoid any for encryptionStatus; add a typed shape** Add a minimal interface for the status payload to retain type safety and avoid runtime typos. ```diff - const [encryptionStatus, setEncryptionStatus] = React.useState<any>(null); + interface EncryptionStatus { + encryption?: { enabled?: boolean; key?: { hasKey?: boolean; keyId?: string; createdAt?: string; kekProtected?: boolean; kekValid?: boolean } }; + migration?: { migrationRequired?: boolean; migrationCompleted?: boolean }; + } + const [encryptionStatus, setEncryptionStatus] = React.useState<EncryptionStatus | null>(null); ``` --- `794-1001`: **Use theme tokens instead of hardcoded Tailwind colors; add a11y affordances** Replace text-green-600/yellow-600/blue-50/etc. with the app’s CSS variables/classes (e.g., text-success, text-warning, bg-muted, text-muted-foreground) to respect themes and WCAG. Also add aria-live="polite" to the migration progress container. ```diff - <div className="p-3 bg-blue-50 border border-blue-200 rounded-md"> + <div className="p-3 bg-muted border border-border rounded-md"> - <Lock className="h-4 w-4 text-green-600" /> + <Lock className="h-4 w-4 text-success" /> - <span className="text-yellow-600"> + <span className="text-warning"> - <div className="p-3 bg-blue-50 border border-blue-200 rounded-md"> + <div className="p-3 bg-muted border border-border rounded-md" aria-live="polite"> ``` --- `95-113`: **Electron URL checks return early but silently; surface feedback** When configuredServerUrl is missing, the effects just return. Add a toast or UI hint so admins know why security settings aren’t loading. Also applies to: 123-134, 137-158 </blockquote></details> <details> <summary>src/backend/utils/encryption-key-manager.ts (2)</summary><blockquote> `276-281`: **Use 12‑byte (96‑bit) IV for AES‑GCM validation.** GCM performs best and is standard with a 12‑byte IV. This path is only a self‑test, but aligning costs nothing. ```diff - const iv = crypto.randomBytes(16); + const iv = crypto.randomBytes(12); ``` --- `33-43`: **Legacy migration: preserve original key material form in metadata.** You’re converting legacy base64 → hex, then persisting KEK‑protected hex. Consider recording `format: 'hex'|'base64'|'kdf'` in `keyData` to aid audits/forensics. Non‑blocking, but improves operability. Also applies to: 191-207 </blockquote></details> <details> <summary>SECURITY.md (3)</summary><blockquote> `154-171`: **Status example doesn’t match the actual API shape.** `EncryptionKeyManager.getEncryptionStatus()` returns fields like `hasKey`, `keyValid`, `initialized`, `kekProtected`, `kekValid`, etc. Update the sample: ```diff -{ - "encryption": { - "enabled": true, - "configValid": true, - "forceEncryption": false, - "migrateOnAccess": true - }, - "migration": { - "isEncryptionEnabled": true, - "migrationCompleted": true, - "migrationDate": "2024-01-15T10:30:00Z" - } -} +{ + "hasKey": true, + "keyValid": true, + "keyId": "abcd1234ef56...", + "createdAt": "2025-09-16T02:40:00.000Z", + "algorithm": "aes-256-gcm", + "initialized": true, + "kekProtected": true, + "kekValid": true +} ``` --- `185-186`: **Update security warning message to reflect implementation.** Docs mention “not set, using default (INSECURE)”, but code generates a new random key when unset. Reword to avoid implying a static default exists. --- `192-202`: **Fix markdownlint MD036: use headings, not emphasis.** Replace emphasized pseudo‑headings with `####` headings for “Common Issues,” “Performance issues,” and “Key rotation.” </blockquote></details> <details> <summary>src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx (4)</summary><blockquote> `90-91`: **Strong typing: avoid `any[]` for hosts.** Use the central `SSHHost` type for `availableHosts`. ```diff -import { toast } from "sonner"; +import { toast } from "sonner"; +import type { SSHHost } from "@/types/index.js"; @@ - const [availableHosts, setAvailableHosts] = useState<any[]>([]); + const [availableHosts, setAvailableHosts] = useState<SSHHost[]>([]); ``` --- `128-140`: **Don’t require `publicKey` to deploy; let backend derive it if needed.** Blocking deployment when `publicKey` is missing is unnecessary if the server can derive it from the stored private key. Remove the check to reduce UX friction. ```diff const handleDeploy = (credential: Credential) => { if (credential.authType !== 'key') { toast.error("Only SSH key-based credentials can be deployed"); return; } - if (!credential.publicKey) { - toast.error("Public key is required for deployment"); - return; - } setDeployingCredential(credential); setSelectedHostId(""); setShowDeployDialog(true); }; ``` --- `142-169`: **Input validation and cleanup on close.** - Ensure `selectedHostId` parses to a finite number. - Reset transient state when the sheet closes to avoid stale state. ```diff - const performDeploy = async () => { + const performDeploy = async () => { if (!deployingCredential || !selectedHostId) { toast.error("Please select a target host"); return; } setDeployLoading(true); try { - const result = await deployCredentialToHost( - deployingCredential.id, - parseInt(selectedHostId) - ); + const hostId = Number(selectedHostId); + if (!Number.isFinite(hostId)) throw new Error("Invalid host id"); + const result = await deployCredentialToHost(deployingCredential.id, hostId); @@ - setShowDeployDialog(false); - setDeployingCredential(null); - setSelectedHostId(""); + setShowDeployDialog(false); + setDeployingCredential(null); + setSelectedHostId(""); } else { toast.error(result.error || "Deployment failed"); } @@ }; ``` And for the sheet: ```diff -<Sheet open={showDeployDialog} onOpenChange={setShowDeployDialog}> +<Sheet + open={showDeployDialog} + onOpenChange={(open) => { + setShowDeployDialog(open); + if (!open) { + setDeployingCredential(null); + setSelectedHostId(""); + setDeployLoading(false); + } + }} +> ``` --- `130-136`: **Internationalization: hard‑coded English strings.** New UI text (errors, labels, buttons, note content) bypasses i18n. Wrap with `t()` and add keys. Examples: ```diff - toast.error("Only SSH key-based credentials can be deployed"); + toast.error(t("credentials.deploy.onlyKeyCredentials")); @@ - toast.error("Public key is required for deployment"); + toast.error(t("credentials.deploy.publicKeyRequired")); @@ - <p>Deploy SSH key to host</p> + <p>{t("credentials.deploy.actionTooltip")}</p> @@ - <div className="text-xl font-semibold">Deploy SSH Key</div> + <div className="text-xl font-semibold">{t("credentials.deploy.title")}</div> ``` Applies throughout the deploy sheet content. Also applies to: 155-169, 658-677, 789-926 </blockquote></details> <details> <summary>src/ui/main-axios.ts (3)</summary><blockquote> `176-179`: **Hard‑coded Electron User‑Agent/version.** `"Termix-Electron/1.6.0"` will drift. Source the version from a single place (e.g., injected at build time or `import.meta.env.VITE_APP_VERSION`) to keep logs consistent. ```diff - config.headers["User-Agent"] = "Termix-Electron/1.6.0"; + config.headers["User-Agent"] = `Termix-Electron/${import.meta.env.VITE_APP_VERSION ?? "unknown"}`; ``` --- `1509-1510`: **Consistent error propagation style.** You’re using `throw handleApiError(...)` in several places, while elsewhere you just call `handleApiError(...)` (which already throws). Drop the extra `throw` for consistency and clarity. ```diff - } catch (error) { - throw handleApiError(error, "fetch credentials"); - } + } catch (error) { + handleApiError(error, "fetch credentials"); + } ``` Apply similarly to the other wrappers listed in the ranges. Also applies to: 1518-1519, 1527-1528, 1542-1543, 1551-1552, 1597-1599, 1607-1609, 1623-1624, 1666-1668, 1681-1682, 1694-1695, 1711-1712, 1726-1727, 1743-1744, 1758-1759 --- `1730-1745`: **Prefer specific response types over `any`.** For `generateKeyPair`/friends, define response shapes (e.g., `{ success: boolean; privateKey?: string; publicKey?: string; error?: string }`) to strengthen type safety across UI callers. </blockquote></details> <details> <summary>src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx (4)</summary><blockquote> `51-56`: **Use `ReturnType<typeof setTimeout>` for browser timers.** `NodeJS.Timeout` can be wrong in DOM builds. Safer typing: ```diff - const keyDetectionTimeoutRef = useRef<NodeJS.Timeout | null>(null); + const keyDetectionTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null); @@ - const publicKeyDetectionTimeoutRef = useRef<NodeJS.Timeout | null>(null); + const publicKeyDetectionTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null); ``` Also applies to: 220-231, 256-265, 290-299 --- `103-128`: **Tighten Zod schema for key/publicKey types.** `key` is `any` but you treat it as `string | File`. Make this explicit; also default `publicKey` to empty string or `undefined`, not both. ```diff - key: z.any().optional().nullable(), - publicKey: z.string().optional(), + key: z.union([z.string(), z.instanceof(File)]).optional().nullable(), + publicKey: z.string().trim().min(1).optional(), ``` Adjust defaults accordingly if you want `""` vs `undefined`. Also applies to: 151-166 --- `173-201`: **Avoid arbitrary `setTimeout` before `form.reset`.** The 100ms delay can race and cause flaky UX. Reset immediately after fetching details; React Hook Form can handle it without a delay. ```diff - setTimeout(() => { - const formData = { ... }; - form.reset(formData); - setTagInput(""); - }, 100); + const formData = { ... }; + form.reset(formData); + setTagInput(""); ``` --- `696-784`: **Harden key generation flows with typed responses and error details.** UI assumes `{ success, privateKey, publicKey, error }`. Define/consume a typed response to avoid runtime checks and surface backend error messages consistently in toasts. Also applies to: 903-935 </blockquote></details> <details> <summary>src/backend/utils/encryption.ts (3)</summary><blockquote> `22-25`: **Use 12‑byte IVs for AES‑GCM (performance/interop).** GCM performs best and is most interoperable with a 96‑bit IV. Using 16 bytes is allowed but slower and can surprise future consumers. Apply this diff: ```diff - ivLength: 16, + ivLength: 12, ``` --- `61-63`: **Always encrypt; don’t special‑case empty plaintext.** Returning empty fields breaks detection and health checks. Let AES‑GCM run even for empty strings. Apply this diff: ```diff - static encrypt(plaintext: string, key: Buffer): EncryptedData { - if (!plaintext) return { data: '', iv: '', tag: '' }; + static encrypt(plaintext: string, key: Buffer): EncryptedData { ``` --- `127-129`: **Dead code: generateSalt() is unused.** Either remove it or plumb it into per‑record keying if you plan to store per‑value salts. Apply this diff to remove if not used: ```diff - static generateSalt(): string { - return crypto.randomBytes(this.CONFIG.saltLength).toString('hex'); - } ``` </blockquote></details> <details> <summary>src/backend/utils/encryption-test.ts (3)</summary><blockquote> `115-122`: **Await async initialization to avoid races.** initialize() is async; even with provided masterPassword, future async inits could slip. Safer to await. Apply this diff: ```diff - DatabaseEncryption.initialize({ + await DatabaseEncryption.initialize({ masterPassword: this.testPassword, encryptionEnabled: true, forceEncryption: false, migrateOnAccess: true }); ``` --- `226-251`: **Production validator should await initialize().** Same reasoning as above; ensures status is read after init. Apply this diff: ```diff - DatabaseEncryption.initialize({ + await DatabaseEncryption.initialize({ masterPassword: encryptionKey, encryptionEnabled: true }); ``` --- `176-197`: **Error message assertion is brittle.** String‑matching on error messages is fragile. Prefer checking error type or a stable prefix you control. Example: ```diff - } catch (error) { - if (!error || !(error as Error).message.includes('decryption failed')) { + } catch (error) { + if (!(error instanceof Error) || !/^Field decryption failed:/i.test(error.message)) { throw new Error('Should throw appropriate decryption error'); } } ``` </blockquote></details> <details> <summary>src/backend/utils/master-key-protection.ts (2)</summary><blockquote> `184-191`: **isProtectedKey validation is permissive.** Only checks property presence; add basic type/length checks to reduce false positives. Apply this diff: ```diff - return !!(parsed.data && parsed.iv && parsed.tag && parsed.version && parsed.fingerprint); + return typeof parsed.data === 'string' + && typeof parsed.iv === 'string' && parsed.iv.length >= 24 + && typeof parsed.tag === 'string' && parsed.tag.length >= 16 + && parsed.version === this.VERSION + && typeof parsed.fingerprint === 'string' && parsed.fingerprint.length >= 8; ``` --- `126-133`: **Minimize sensitive fingerprint logging.** Even prefixes can aid tracking. Consider downgrading to debug or removing. </blockquote></details> <details> <summary>src/backend/utils/database-encryption.ts (3)</summary><blockquote> `41-73`: **Encrypt only string fields; guard non‑string values.** If a flagged field ever holds non‑string data, casting can throw. Add a typeof check and stringify policy. Apply this diff: ```diff - if (FieldEncryption.shouldEncryptField(tableName, fieldName) && value) { + if (FieldEncryption.shouldEncryptField(tableName, fieldName) && value != null) { try { const fieldKey = FieldEncryption.getFieldKey(context.masterPassword, `${tableName}.${fieldName}`); - encryptedRecord[fieldName] = FieldEncryption.encryptField(value as string, fieldKey); + if (typeof value === 'string') { + encryptedRecord[fieldName] = FieldEncryption.encryptField(value, fieldKey); + } else { + // Serialize deterministically before encrypting + encryptedRecord[fieldName] = FieldEncryption.encryptField(JSON.stringify(value), fieldKey); + } ``` --- `75-130`: **Decryption path should mirror serialization choice.** If you serialize non‑strings for encryption, parse them back (when JSON). Apply this diff: ```diff - if (FieldEncryption.isEncrypted(value as string)) { - decryptedRecord[fieldName] = FieldEncryption.decryptField(value as string, fieldKey); + if (typeof value === 'string' && FieldEncryption.isEncrypted(value)) { + const plain = FieldEncryption.decryptField(value, fieldKey); + // Try to parse JSON; fall back to raw + try { + decryptedRecord[fieldName] = JSON.parse(plain); + } catch { + decryptedRecord[fieldName] = plain; + } ``` --- `125-129`: **Migrate decrypted values, not original record.** Passing the original record may miss transforms applied during decryption. Use decryptedRecord. Apply this diff: ```diff - this.scheduleFieldMigration(tableName, record); + this.scheduleFieldMigration(tableName, decryptedRecord); ``` </blockquote></details> <details> <summary>src/backend/utils/encrypted-db-operations.ts (4)</summary><blockquote> `60-76`: **selectOne() should handle array or single‑row results.** Drizzle queries may return [] or a row depending on usage. Apply this diff: ```diff - const result = await query; - if (!result) return undefined; - - const decryptedResult = DatabaseEncryption.decryptRecord(tableName, result); + const result = await query; + if (!result) return undefined; + const row = Array.isArray(result) ? result[0] : result; + if (!row) return undefined; + const decryptedResult = DatabaseEncryption.decryptRecord(tableName, row); ``` --- `145-163`: **Switch‑case declarations leak across clauses (Biome noSwitchDeclarations).** Wrap each case in a block to scope declarations. Apply this diff: ```diff switch (tableName) { case 'users': - const { users } = await import('../database/db/schema.js'); - table = users; - records = await db.select().from(users); + { + const { users } = await import('../database/db/schema.js'); + table = users; + records = await db.select().from(users); + } break; case 'ssh_data': - const { sshData } = await import('../database/db/schema.js'); - table = sshData; - records = await db.select().from(sshData); + { + const { sshData } = await import('../database/db/schema.js'); + table = sshData; + records = await db.select().from(sshData); + } break; case 'ssh_credentials': - const { sshCredentials } = await import('../database/db/schema.js'); - table = sshCredentials; - records = await db.select().from(sshCredentials); + { + const { sshCredentials } = await import('../database/db/schema.js'); + table = sshCredentials; + records = await db.select().from(sshCredentials); + } break; ``` --- `169-173`: **Avoid importing eq() inside a hot loop.** Hoist the import once for performance and clarity. Apply this diff: ```diff - const { eq } = await import('drizzle-orm'); - await db.update(table).set(migratedRecord).where(eq((table as any).id, record.id)); + const { eq } = await import('drizzle-orm'); + await db.update(table).set(migratedRecord).where(eq((table as any).id, record.id)); ``` Move the `import('drizzle-orm')` outside the loop: ```diff - for (const record of records) { + const { eq } = await import('drizzle-orm'); + for (const record of records) { ``` --- `36-51`: **Decrypt query results defensively.** If query resolves to undefined/null, current code passes it to decryptRecords (which expects arrays). You guard already with try/catch, but add a nullish coalesce for safety. Apply this diff: ```diff - const decryptedResults = DatabaseEncryption.decryptRecords(tableName, results); + const decryptedResults = DatabaseEncryption.decryptRecords(tableName, results ?? []); ``` </blockquote></details> <details> <summary>unified_key_section.tsx (3)</summary><blockquote> `33-34`: **Silent error handling masks failures.** File read errors are only logged to console, which won't be visible to users in production. Users need feedback when file operations fail. Consider showing user-friendly error messages using your notification system instead of just console.error. --- `85-91`: **Consider using the centralized color system.** The component uses inline color classes like `text-green-600` and `text-destructive`. Consider using CSS variables from your established color token system for consistency. ```diff - <span className={`font-medium ${ - detectedKeyType === 'invalid' || detectedKeyType === 'error' - ? 'text-destructive' - : 'text-green-600' - }`}> + <span className={`font-medium ${ + detectedKeyType === 'invalid' || detectedKeyType === 'error' + ? 'text-destructive' + : 'text-success' + }`}> ``` --- `145-145`: **Inconsistent file accept attribute.** Public key upload accepts `*` while it should be more restrictive like the private key input. ```diff - accept="*,.pub,.txt" + accept=".pub,.txt" ``` </blockquote></details> <details> <summary>src/backend/utils/encryption-migration.ts (1)</summary><blockquote> `268-278`: **Test encryption uses predictable data.** The test encryption uses Date.now() which is predictable and could be insufficient for security validation. ```diff - const testData = `test-data-${Date.now()}`; + const crypto = await import('crypto'); + const testData = `test-data-${crypto.randomBytes(16).toString('hex')}`; ``` </blockquote></details> <details> <summary>src/backend/database/routes/credentials.ts (2)</summary><blockquote> `15-58`: **SSH key generation lacks proper error handling for unsupported key types.** The function silently falls back to defaults for unsupported key types without validation. Add validation for supported key types: ```diff try { + const supportedTypes = ['ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']; + if (!supportedTypes.includes(keyType)) { + return { + success: false, + error: `Unsupported key type: ${keyType}` + }; + } + // Convert our keyType to ssh2 format ``` --- `1131-1134`: **Connection timeout might be too long.** 30-second timeout for SSH connections could tie up resources. Consider making it configurable. ```diff - }, 30000); + }, parseInt(process.env.SSH_DEPLOY_TIMEOUT || '10000')); ``` </blockquote></details> </blockquote></details> <details> <summary>📜 Review details</summary> **Configuration used**: Path: .coderabbit.yaml **Review profile**: CHILL **Plan**: Pro <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 0f75cd4d16c7f59c9f52ec26b22e589425842cd9 and 0839cb4134cb8c307bcccd8c86a92c6e24272922. </details> <details> <summary>⛔ Files ignored due to path filters (3)</summary> * `package.json` is excluded by `!**/*.json` * `src/locales/en/translation.json` is excluded by `!**/*.json` * `src/locales/zh/translation.json` is excluded by `!**/*.json` </details> <details> <summary>📒 Files selected for processing (24)</summary> * `SECURITY.md` (1 hunks) * `src/backend/database/database.ts` (4 hunks) * `src/backend/database/db/index.ts` (1 hunks) * `src/backend/database/db/schema.ts` (1 hunks) * `src/backend/database/routes/credentials.ts` (9 hunks) * `src/backend/database/routes/ssh.ts` (2 hunks) * `src/backend/ssh/server-stats.ts` (4 hunks) * `src/backend/ssh/terminal.ts` (1 hunks) * `src/backend/ssh/tunnel.ts` (2 hunks) * `src/backend/starter.ts` (2 hunks) * `src/backend/utils/database-encryption.ts` (1 hunks) * `src/backend/utils/encrypted-db-operations.ts` (1 hunks) * `src/backend/utils/encryption-key-manager.ts` (1 hunks) * `src/backend/utils/encryption-migration.ts` (1 hunks) * `src/backend/utils/encryption-test.ts` (1 hunks) * `src/backend/utils/encryption.ts` (1 hunks) * `src/backend/utils/master-key-protection.ts` (1 hunks) * `src/backend/utils/ssh-key-utils.ts` (1 hunks) * `src/types/index.ts` (2 hunks) * `src/ui/Desktop/Admin/AdminSettings.tsx` (6 hunks) * `src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx` (10 hunks) * `src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx` (6 hunks) * `src/ui/main-axios.ts` (9 hunks) * `unified_key_section.tsx` (1 hunks) </details> <details> <summary>🧰 Additional context used</summary> <details> <summary>📓 Path-based instructions (5)</summary> <details> <summary>**/*.{ts,tsx}</summary> **⚙️ CodeRabbit configuration file** > `**/*.{ts,tsx}`: Review TypeScript and React code for Termix server management platform. Key considerations: > > **Architecture & Patterns:** > - Follow the established multi-port backend architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085) > - Use proper separation between Desktop and Mobile UI components > - Maintain consistent state management patterns with React hooks and context > - Follow the established tab-based navigation system > > **Database & Backend:** > - Use Drizzle ORM with SQLite for database operations > - Implement proper JWT authentication middleware patterns > - Follow the established API error handling patterns in main-axios.ts > - Use proper logging with the structured logger system (apiLogger, authLogger, sshLogger, etc.) > - Maintain proper input validation and sanitization > > **UI/UX Guidelines:** > - Use Shadcn/UI components with Tailwind CSS for consistent styling > - Follow the established theme system with dark/light mode support > - Use proper responsive design patterns for Desktop/Mobile views > - Implement proper loading states and error handling > - Use the established confirmation patterns with useConfirmation hook > - Use CSS variables and classes from index.css instead of hardcoding colors > - Follow the established color token system (--primary, --secondary, --background, etc.) > - Use proper Tailwind CSS classes instead of inline styles > - Implement proper focus states and accessibility indicators > > **SSH & Security:** > - Implement proper SSH connection management with session handling > - Use secure credential storage and management patterns > - Follow the established authentication flow (password, key, credential-based) > - Implement proper file operation security and validation > > **Code Quality:** > - Use proper TypeScript types from the centralized types/index.ts > - Follow the established API patterns in main-axios.ts > - Implement proper error boundaries and fallback UI > - Use proper React patterns (hooks, context, refs) > - Maintain consistent naming conventions... Files: - `src/backend/database/db/index.ts` - `src/types/index.ts` - `src/backend/ssh/terminal.ts` - `src/backend/ssh/tunnel.ts` - `src/backend/utils/ssh-key-utils.ts` - `src/backend/utils/master-key-protection.ts` - `src/backend/utils/encryption-migration.ts` - `src/backend/utils/encryption.ts` - `src/backend/ssh/server-stats.ts` - `src/ui/Desktop/Admin/AdminSettings.tsx` - `unified_key_section.tsx` - `src/backend/database/db/schema.ts` - `src/backend/utils/database-encryption.ts` - `src/backend/utils/encryption-test.ts` - `src/backend/starter.ts` - `src/backend/utils/encrypted-db-operations.ts` - `src/backend/database/routes/ssh.ts` - `src/backend/database/database.ts` - `src/ui/main-axios.ts` - `src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx` - `src/backend/utils/encryption-key-manager.ts` - `src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx` - `src/backend/database/routes/credentials.ts` </details> <details> <summary>**/backend/**/*.{ts,js}</summary> **⚙️ CodeRabbit configuration file** > `**/backend/**/*.{ts,js}`: Review backend code for Termix server management platform. Key considerations: > > **Backend Architecture:** > - Follow the multi-port microservice architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085) > - Use Express.js with proper middleware patterns > - Implement proper CORS and security headers > - Use proper request/response logging with structured logging > > **Database Operations:** > - Use Drizzle ORM with proper schema definitions > - Implement proper database migrations and schema updates > - Use proper transaction handling for critical operations > - Follow the established database connection patterns > > **Authentication & Security:** > - Implement proper JWT token validation and refresh > - Use bcryptjs for password hashing with proper salt rounds > - Implement proper input validation and sanitization > - Use proper CORS configuration for security > - Implement proper rate limiting and security headers > > **SSH Operations:** > - Use ssh2 library with proper connection management > - Implement proper SSH key handling and validation > - Use proper session management and cleanup > - Implement proper error handling for SSH operations > - Use proper file operation security and validation > > **API Design:** > - Follow RESTful API patterns with proper HTTP status codes > - Implement proper error response formatting > - Use proper request/response validation > - Implement proper API versioning and backward compatibility > - All API routes should be defined in main-axios.ts, not scattered across components > - Use the established multi-port API architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085) > - Follow the established error handling patterns with handleApiError function > - Use proper structured logging with service-specific loggers (apiLogger, authLogger, sshLogger, etc.) > > **Logging & Monitoring:** > - Use the structured logging system with proper context > - Implement proper error tracking and reporting > - Use proper performance monitoring and metrics > - Impleme... Files: - `src/backend/database/db/index.ts` - `src/backend/ssh/terminal.ts` - `src/backend/ssh/tunnel.ts` - `src/backend/utils/ssh-key-utils.ts` - `src/backend/utils/master-key-protection.ts` - `src/backend/utils/encryption-migration.ts` - `src/backend/utils/encryption.ts` - `src/backend/ssh/server-stats.ts` - `src/backend/database/db/schema.ts` - `src/backend/utils/database-encryption.ts` - `src/backend/utils/encryption-test.ts` - `src/backend/starter.ts` - `src/backend/utils/encrypted-db-operations.ts` - `src/backend/database/routes/ssh.ts` - `src/backend/database/database.ts` - `src/backend/utils/encryption-key-manager.ts` - `src/backend/database/routes/credentials.ts` </details> <details> <summary>**/types/**/*.{ts,js}</summary> **⚙️ CodeRabbit configuration file** > `**/types/**/*.{ts,js}`: Review type definitions for Termix server management platform. Key considerations: > > **Type Design:** > - Use proper TypeScript interfaces and type definitions > - Implement proper type safety and validation > - Use proper generic types and utility types > - Follow the established type naming conventions > > **API Types:** > - Define proper request/response types for all API endpoints > - Use proper error types and status codes > - Implement proper validation types and schemas > - Use proper pagination and filtering types > > **SSH Types:** > - Define proper SSH connection and configuration types > - Use proper tunnel and credential types > - Implement proper file operation types > - Use proper authentication and security types > > **Type Safety:** > - Ensure proper type coverage and completeness > - Use proper strict type checking > - Implement proper type narrowing and guards > - Use proper type assertions and casting > > Highlight any type safety issues, missing types, or type inconsistencies. > Files: - `src/types/index.ts` </details> <details> <summary>**/*.md</summary> **⚙️ CodeRabbit configuration file** > `**/*.md`: Review documentation files for Termix server management platform. Key considerations: > > **Documentation Quality:** > - Ensure proper grammar, spelling, and clarity > - Use proper formatting and structure > - Implement proper code examples and snippets > - Follow the established documentation standards > > **Content Accuracy:** > - Ensure proper technical accuracy and completeness > - Use proper up-to-date information and examples > - Implement proper cross-references and links > - Use proper version and compatibility information > > **User Experience:** > - Ensure proper user-friendly language and explanations > - Use proper step-by-step instructions and guides > - Implement proper troubleshooting and FAQ sections > - Use proper visual aids and diagrams where appropriate > > Highlight any documentation issues, inaccuracies, or missing information. > Files: - `SECURITY.md` </details> <details> <summary>**/main-axios.ts</summary> **⚙️ CodeRabbit configuration file** > `**/main-axios.ts`: Review main-axios.ts API client configuration for Termix server management platform. Key considerations: > > **API Client Architecture:** > - Maintain the multi-port API architecture (SSH: 8081, Tunnel: 8083, File Manager: 8084, Stats: 8085) > - Use proper service-specific API instances (sshHostApi, tunnelApi, fileManagerApi, statsApi, authApi) > - Implement proper API instance creation with createApiInstance function > - Use proper base URL configuration for different environments (dev, production, Electron) > > **Error Handling:** > - Use the centralized handleApiError function for consistent error handling > - Implement proper error classification (auth, network, validation, server errors) > - Use proper error logging with service-specific loggers > - Implement proper error response formatting and user-friendly messages > > **Request/Response Interceptors:** > - Implement proper JWT token handling in request interceptors > - Use proper request timing and performance logging > - Implement proper response logging and error tracking > - Use proper authentication token refresh and cleanup > > **API Function Organization:** > - Group API functions by service (SSH Host Management, Tunnel Management, File Manager, etc.) > - Use proper TypeScript types for all API functions > - Implement proper parameter validation and sanitization > - Use proper return type definitions and error handling > > **Authentication:** > - Implement proper JWT token management and refresh > - Use proper cookie handling for web and Electron environments > - Implement proper authentication state management > - Use proper token expiration and cleanup > > **Logging:** > - Use proper structured logging with context and metadata > - Implement proper request/response logging with performance metrics > - Use proper error logging with appropriate log levels > - Implement proper service-specific logger selection > > **Performance:** > - Implement proper request timeout and retry logic > - Use proper connection pooling and resource management > - Implement pr... Files: - `src/ui/main-axios.ts` </details> </details><details> <summary>🧬 Code graph analysis (16)</summary> <details> <summary>src/backend/utils/ssh-key-utils.ts (1)</summary><blockquote> <details> <summary>src/ui/main-axios.ts (2)</summary> * `detectKeyType` (1670-1683) * `validateKeyPair` (1698-1713) </details> </blockquote></details> <details> <summary>src/backend/utils/master-key-protection.ts (1)</summary><blockquote> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> </blockquote></details> <details> <summary>src/backend/utils/encryption-migration.ts (3)</summary><blockquote> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/backend/database/db/schema.ts (3)</summary> * `settings` (28-31) * `sshData` (33-70) * `sshCredentials` (128-154) </details> </blockquote></details> <details> <summary>src/backend/ssh/server-stats.ts (3)</summary><blockquote> <details> <summary>src/backend/utils/encrypted-db-operations.ts (1)</summary> * `EncryptedDBOperations` (213-213) </details> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/backend/database/db/schema.ts (2)</summary> * `sshData` (33-70) * `sshCredentials` (128-154) </details> </blockquote></details> <details> <summary>src/ui/Desktop/Admin/AdminSettings.tsx (1)</summary><blockquote> <details> <summary>src/ui/main-axios.ts (2)</summary> * `isElectron` (87-92) * `getCookie` (119-130) </details> </blockquote></details> <details> <summary>unified_key_section.tsx (1)</summary><blockquote> <details> <summary>src/backend/utils/ssh-key-utils.ts (1)</summary> * `getFriendlyKeyTypeName` (411-425) </details> </blockquote></details> <details> <summary>src/backend/utils/database-encryption.ts (3)</summary><blockquote> <details> <summary>src/backend/utils/encryption-key-manager.ts (1)</summary> * `EncryptionKeyManager` (322-322) </details> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> <details> <summary>src/backend/utils/encryption.ts (1)</summary> * `FieldEncryption` (142-142) </details> </blockquote></details> <details> <summary>src/backend/starter.ts (1)</summary><blockquote> <details> <summary>src/backend/utils/database-encryption.ts (1)</summary> * `DatabaseEncryption` (251-251) </details> </blockquote></details> <details> <summary>src/backend/utils/encrypted-db-operations.ts (3)</summary><blockquote> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> <details> <summary>src/backend/database/db/schema.ts (3)</summary> * `users` (4-26) * `sshData` (33-70) * `sshCredentials` (128-154) </details> </blockquote></details> <details> <summary>src/backend/database/routes/ssh.ts (3)</summary><blockquote> <details> <summary>src/backend/utils/encrypted-db-operations.ts (1)</summary> * `EncryptedDBOperations` (213-213) </details> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/backend/database/db/schema.ts (1)</summary> * `sshData` (33-70) </details> </blockquote></details> <details> <summary>src/backend/database/database.ts (2)</summary><blockquote> <details> <summary>src/backend/utils/encryption-migration.ts (1)</summary> * `initializeEncryption` (129-149) </details> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> </blockquote></details> <details> <summary>src/ui/main-axios.ts (1)</summary><blockquote> <details> <summary>src/backend/utils/ssh-key-utils.ts (2)</summary> * `detectKeyType` (396-406) * `validateKeyPair` (430-527) </details> </blockquote></details> <details> <summary>src/ui/Desktop/Apps/Credentials/CredentialsManager.tsx (2)</summary><blockquote> <details> <summary>src/types/index.ts (1)</summary> * `Credential` (63-80) </details> <details> <summary>src/ui/main-axios.ts (2)</summary> * `getSSHHosts` (591-598) * `deployCredentialToHost` (1747-1760) </details> </blockquote></details> <details> <summary>src/backend/utils/encryption-key-manager.ts (3)</summary><blockquote> <details> <summary>src/backend/utils/logger.ts (1)</summary> * `databaseLogger` (164-164) </details> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/backend/database/db/schema.ts (1)</summary> * `settings` (28-31) </details> </blockquote></details> <details> <summary>src/ui/Desktop/Apps/Credentials/CredentialEditor.tsx (3)</summary><blockquote> <details> <summary>src/ui/main-axios.ts (4)</summary> * `detectKeyType` (1670-1683) * `detectPublicKeyType` (1685-1696) * `generateKeyPair` (1730-1745) * `generatePublicKeyFromPrivate` (1715-1728) </details> <details> <summary>src/backend/utils/ssh-key-utils.ts (2)</summary> * `detectKeyType` (396-406) * `getFriendlyKeyTypeName` (411-425) </details> <details> <summary>src/components/ui/password-input.tsx (1)</summary> * `PasswordInput` (11-39) </details> </blockquote></details> <details> <summary>src/backend/database/routes/credentials.ts (4)</summary><blockquote> <details> <summary>src/backend/utils/ssh-key-utils.ts (3)</summary> * `parseSSHKey` (242-363) * `parsePublicKey` (368-391) * `validateKeyPair` (430-527) </details> <details> <summary>src/backend/database/db/schema.ts (2)</summary> * `sshCredentials` (128-154) * `sshData` (33-70) </details> <details> <summary>src/backend/database/db/index.ts (1)</summary> * `db` (311-311) </details> <details> <summary>src/ui/main-axios.ts (1)</summary> * `validateKeyPair` (1698-1713) </details> </blockquote></details> </details><details> <summary>🪛 markdownlint-cli2 (0.17.2)</summary> <details> <summary>SECURITY.md</summary> 192-192: Emphasis used instead of a heading (MD036, no-emphasis-as-heading) --- 197-197: Emphasis used instead of a heading (MD036, no-emphasis-as-heading) --- 202-202: Emphasis used instead of a heading (MD036, no-emphasis-as-heading) </details> </details> <details> <summary>🪛 Gitleaks (8.27.2)</summary> <details> <summary>src/backend/utils/ssh-key-utils.ts</summary> [high] 10-31: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (private-key) --- [high] 64-67: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (private-key) --- [high] 70-75: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (private-key) --- [high] 79-148: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (private-key) </details> </details> <details> <summary>🪛 Biome (2.1.2)</summary> <details> <summary>src/backend/utils/encrypted-db-operations.ts</summary> [error] 147-147: Other switch clauses can erroneously access this declaration. Wrap the declaration in a block to restrict its access to the switch clause. The declaration is defined in this switch clause: Safe fix: Wrap the declaration in a block. (lint/correctness/noSwitchDeclarations) --- [error] 152-152: Other switch clauses can erroneously access this declaration. Wrap the declaration in a block to restrict its access to the switch clause. The declaration is defined in this switch clause: Safe fix: Wrap the declaration in a block. (lint/correctness/noSwitchDeclarations) --- [error] 157-157: Other switch clauses can erroneously access this declaration. Wrap the declaration in a block to restrict its access to the switch clause. The declaration is defined in this switch clause: Safe fix: Wrap the declaration in a block. (lint/correctness/noSwitchDeclarations) </details> </details> </details> <details> <summary>🔇 Additional comments (18)</summary><blockquote> <details> <summary>src/types/index.ts (1)</summary><blockquote> `73-73`: **LGTM! Well-structured type addition** The addition of the optional `publicKey` field to both `Credential` and `CredentialData` interfaces is clean and maintains backward compatibility. </blockquote></details> <details> <summary>src/backend/ssh/tunnel.ts (1)</summary><blockquote> `458-458`: **Good backward compatibility approach** The implementation correctly prefers the new `privateKey` field while maintaining backward compatibility with the existing `key` field. </blockquote></details> <details> <summary>src/backend/ssh/terminal.ts (1)</summary><blockquote> `194-194`: **Consistent implementation with tunnel.ts** Good consistency in preferring the new `privateKey` field while maintaining backward compatibility, matching the pattern used in tunnel.ts. </blockquote></details> <details> <summary>src/backend/utils/ssh-key-utils.ts (2)</summary><blockquote> `279-290`: **Resolved — SSH public key formatting is handled** parsedKey.getPublicSSH() is checked and, when it returns a Buffer, the code base64-encodes the buffer and prefixes it with the key type (producing "keytype base64data") — implemented in src/backend/utils/ssh-key-utils.ts and src/backend/database/routes/credentials.ts. No change required. --- `1-3`: **Verify ssh2 import compatibility** Two files use a default import from 'ssh2' while the rest use named imports — this can break depending on project module settings (no package.json/tsconfig found to confirm esModuleInterop/allowSyntheticDefaultImports or "type"). Affected files: src/backend/utils/ssh-key-utils.ts, src/backend/database/routes/credentials.ts. Make imports consistent: either enable esModuleInterop/allowSyntheticDefaultImports (and confirm package.json "type") or switch to named imports (import { utils, Client } from 'ssh2') / use require(). </blockquote></details> <details> <summary>src/backend/database/db/index.ts (1)</summary><blockquote> `253-257`: **SSH credentials columns added — aligns with encrypted model** Adding private_key, public_key, and detected_key_type is consistent with the new encrypted credentials workflow and the Drizzle schema. No issues with idempotent addColumnIfNotExists usage. If not already done in schema.ts migrations elsewhere, confirm that any code reading credentials prefers private_key over legacy key where both exist, to avoid ambiguity post‑migration. </blockquote></details> <details> <summary>src/backend/database/routes/ssh.ts (1)</summary><blockquote> `16-16`: **Good: encryption layer imported where needed** Importing EncryptedDBOperations here is the right direction. </blockquote></details> <details> <summary>src/backend/starter.ts (1)</summary><blockquote> `21-26`: **Init order: encryption before SSH subsystems — good** Initializing DatabaseEncryption before loading terminal/tunnel/file-manager/stats modules matches the new security model. Confirm DatabaseEncryption.initialize() fails fast (process exit) if KEK/key material is corrupted to avoid starting dependent services in a partial state. </blockquote></details> <details> <summary>src/backend/ssh/server-stats.ts (1)</summary><blockquote> `309-314`: **Good: all DB reads now go through EncryptedDBOperations** Hosts and credential lookups are decrypted consistently. Also applies to: 340-343, 390-396 </blockquote></details> <details> <summary>SECURITY.md (1)</summary><blockquote> `197-201`: **Avoid unsubstantiated performance claims.** “Encryption adds ~1ms per operation” needs a reference or a benchmark caveat (hardware/workload dependent). Add a note or remove the figure. </blockquote></details> <details> <summary>src/backend/utils/encryption.ts (1)</summary><blockquote> `27-31`: **Confirm encrypted field registry is complete and consistent with schema.** Fields look aligned with schema, including ssh_credentials.privateKey/publicKey. Please confirm no other sensitive fields (e.g., users.client_id, issuer_url) require at-rest encryption per your threat model. </blockquote></details> <details> <summary>src/backend/utils/database-encryption.ts (1)</summary><blockquote> `188-204`: **Config validation: cover empty‑string edge case.** Given encrypting empty strings now produces valid objects, ensure the self‑test isn’t affected by sentinel logic elsewhere. </blockquote></details> <details> <summary>unified_key_section.tsx (2)</summary><blockquote> `69-69`: **LGTM! Proper controlled component handling.** Good implementation of controlled textarea with proper type checking for the field value. --- `240-264`: **LGTM! Well-structured public key generation UI.** The conditional rendering and loading states are properly handled, with clear user feedback through the generatePublicKeyNote. </blockquote></details> <details> <summary>src/backend/database/database.ts (1)</summary><blockquote> `260-275`: **LGTM! Well-structured status endpoint.** Good separation of concerns between encryption status and migration status, with proper error handling. </blockquote></details> <details> <summary>src/backend/utils/encryption-migration.ts (1)</summary><blockquote> `358-370`: **LGTM! Smart encryption detection heuristic.** Good implementation of encryption detection that checks for both JSON format and base64 characteristics. </blockquote></details> <details> <summary>src/backend/database/routes/credentials.ts (2)</summary><blockquote> `198-203`: **LGTM! Proper use of encrypted DB operations.** Good integration with EncryptedDBOperations for secure credential storage. --- `1344-1345`: **Good backward compatibility handling.** The code properly handles both the new `privateKey` field and the legacy `key` field. </blockquote></details> </blockquote></details> </details>

SECURITY.md

						
				@@ -0,0 +38,4 @@

				- Cryptographically random

				- Unique per installation

				- Safely backed up

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:55 +00:00

⚠️ Potential issue

Align key requirements with implementation (64‑hex recommended).

Docs say “≥16 chars,” but the code requires ≥32 and the system expects a 32‑byte key; recommended generation uses -hex 32. Tighten the requirement and call out hex explicitly.

-DB_ENCRYPTION_KEY=your-very-strong-encryption-key-32-chars-minimum
+DB_ENCRYPTION_KEY=<64-hex-chars (32 bytes), e.g. output of `openssl rand -hex 32`>
@@
-**⚠️ CRITICAL:** The encryption key must be:
-- At least 16 characters long (32+ recommended)
+**⚠️ CRITICAL:** The encryption key must be:
+- Exactly 32 bytes (64 hex characters)
 - Cryptographically random
 - Unique per installation
 - Safely backed up

Also applies to: 36-41

🤖 Prompt for AI Agents

In SECURITY.md around lines 31 to 41, the documented encryption key requirement
is inconsistent with the implementation (docs say ≥16 chars but code enforces a
32‑byte key and expects hex); update the text to require a 32‑byte key encoded
as 64 hexadecimal characters, explicitly call out that the key must be
hex-encoded, change the example to a 64‑char hex value and add the recommended
generator command (e.g. openssl rand -hex 32), and make the same correction for
the repeated guidance on lines 36–41.

_⚠️ Potential issue_ **Align key requirements with implementation (64‑hex recommended).** Docs say “≥16 chars,” but the code requires ≥32 and the system expects a 32‑byte key; recommended generation uses `-hex 32`. Tighten the requirement and call out hex explicitly. ```diff -DB_ENCRYPTION_KEY=your-very-strong-encryption-key-32-chars-minimum +DB_ENCRYPTION_KEY=<64-hex-chars (32 bytes), e.g. output of `openssl rand -hex 32`> @@ -**⚠️ CRITICAL:** The encryption key must be: -- At least 16 characters long (32+ recommended) +**⚠️ CRITICAL:** The encryption key must be: +- Exactly 32 bytes (64 hex characters) - Cryptographically random - Unique per installation - Safely backed up ``` Also applies to: 36-41 <details> <summary>🤖 Prompt for AI Agents</summary> ``` In SECURITY.md around lines 31 to 41, the documented encryption key requirement is inconsistent with the implementation (docs say ≥16 chars but code enforces a 32‑byte key and expects hex); update the text to require a 32‑byte key encoded as 64 hexadecimal characters, explicitly call out that the key must be hex-encoded, change the example to a 64‑char hex value and add the recommended generator command (e.g. openssl rand -hex 32), and make the same correction for the repeated guidance on lines 36–41. ``` </details>

src/backend/database/database.ts

						
				@@ -258,0 +299,4 @@

				  }

				});

				app.post("/encryption/migrate", async (req, res) => {

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:55 +00:00

⚠️ Potential issue

Potential information disclosure in error response.

The endpoint returns the first 8 characters of the master key in the response, which could aid attackers in brute-force attempts.

     res.json({
       success: true,
       message: "Encryption initialized successfully",
-      keyPreview: newKey.substring(0, 8) + "..."
+      // Don't expose any part of the encryption key
     });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    const { EncryptionKeyManager } = await import("../utils/encryption-key-manager.js");
    const keyManager = EncryptionKeyManager.getInstance();

    const newKey = await keyManager.generateNewKey();
    await DatabaseEncryption.initialize({ masterPassword: newKey });

    apiLogger.info("Encryption initialized via API", {
      operation: "encryption_init_api"
    });

    res.json({
      success: true,
      message: "Encryption initialized successfully",
      // Don't expose any part of the encryption key
    });

🤖 Prompt for AI Agents

In src/backend/database/database.ts around lines 279 to 293, the API response
currently includes the first 8 characters of the generated master key
(keyPreview), which risks information disclosure; remove the keyPreview field
from the JSON response and instead return only a success status/message (and any
non-sensitive metadata). If you must convey the key to an operator, deliver it
through a secure out-of-band channel (e.g., CLI output, encrypted vault entry,
or transient download) and do not log or return any key fragments in HTTP
responses or standard logs.

_⚠️ Potential issue_ **Potential information disclosure in error response.** The endpoint returns the first 8 characters of the master key in the response, which could aid attackers in brute-force attempts. ```diff res.json({ success: true, message: "Encryption initialized successfully", - keyPreview: newKey.substring(0, 8) + "..." + // Don't expose any part of the encryption key }); ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion const { EncryptionKeyManager } = await import("../utils/encryption-key-manager.js"); const keyManager = EncryptionKeyManager.getInstance(); const newKey = await keyManager.generateNewKey(); await DatabaseEncryption.initialize({ masterPassword: newKey }); apiLogger.info("Encryption initialized via API", { operation: "encryption_init_api" }); res.json({ success: true, message: "Encryption initialized successfully", // Don't expose any part of the encryption key }); ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/database.ts around lines 279 to 293, the API response currently includes the first 8 characters of the generated master key (keyPreview), which risks information disclosure; remove the keyPreview field from the JSON response and instead return only a success status/message (and any non-sensitive metadata). If you must convey the key to an operator, deliver it through a secure out-of-band channel (e.g., CLI output, encrypted vault entry, or transient download) and do not log or return any key fragments in HTTP responses or standard logs. ``` </details>

src/backend/database/database.ts

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:55 +00:00

⚠️ Potential issue

Key regeneration endpoint lacks safeguards.

The /encryption/regenerate endpoint could lead to data loss if called accidentally. It should require additional confirmation or be restricted to specific environments.

Consider adding:

A confirmation token requirement
Environment-based restrictions (disable in production)
Automatic backup before regeneration
Rate limiting to prevent abuse

🤖 Prompt for AI Agents

In src/backend/database/database.ts around lines 344 to 363, the
/encryption/regenerate endpoint currently allows blind key rotation and must be
hardened: require a confirmation token (e.g., a one-time token or configured
ADMIN_REGEN_TOKEN passed in body/header and validated before proceeding),
disallow or block the endpoint in production by checking NODE_ENV (or a config
flag) and returning 403 when disabled, perform an automatic verified backup step
before calling DatabaseEncryption.reinitializeWithNewKey() (invoke existing
backup routine or create a transactional dump and verify it succeeded; abort on
failure), and apply rate limiting to the endpoint (use existing rate-limiter
middleware or add a simple per-IP/UID limiter and return 429 if exceeded);
ensure logs and HTTP responses reflect validation failures (401/403/429/500) and
do not proceed to reinitialize unless all checks and backup succeed.

_⚠️ Potential issue_ **Key regeneration endpoint lacks safeguards.** The `/encryption/regenerate` endpoint could lead to data loss if called accidentally. It should require additional confirmation or be restricted to specific environments. Consider adding: 1. A confirmation token requirement 2. Environment-based restrictions (disable in production) 3. Automatic backup before regeneration 4. Rate limiting to prevent abuse <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/database.ts around lines 344 to 363, the /encryption/regenerate endpoint currently allows blind key rotation and must be hardened: require a confirmation token (e.g., a one-time token or configured ADMIN_REGEN_TOKEN passed in body/header and validated before proceeding), disallow or block the endpoint in production by checking NODE_ENV (or a config flag) and returning 403 when disabled, perform an automatic verified backup step before calling DatabaseEncryption.reinitializeWithNewKey() (invoke existing backup routine or create a transactional dump and verify it succeeded; abort on failure), and apply rate limiting to the endpoint (use existing rate-limiter middleware or add a simple per-IP/UID limiter and return 429 if exceeded); ensure logs and HTTP responses reflect validation failures (401/403/429/500) and do not proceed to reinitialize unless all checks and backup succeed. ``` </details>

src/backend/database/database.ts

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:55 +00:00

⚠️ Potential issue

Environment variable parsing is fragile.

The code doesn't validate environment variable values and uses loose comparisons that could lead to unexpected behavior.

     await DatabaseEncryption.initialize({
-      encryptionEnabled: process.env.ENCRYPTION_ENABLED !== 'false',
-      forceEncryption: process.env.FORCE_ENCRYPTION === 'true',
-      migrateOnAccess: process.env.MIGRATE_ON_ACCESS !== 'false'
+      encryptionEnabled: process.env.ENCRYPTION_ENABLED?.toLowerCase() === 'true',
+      forceEncryption: process.env.FORCE_ENCRYPTION?.toLowerCase() === 'true',
+      migrateOnAccess: process.env.MIGRATE_ON_ACCESS?.toLowerCase() === 'true'
     });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    await DatabaseEncryption.initialize({
      encryptionEnabled: process.env.ENCRYPTION_ENABLED?.toLowerCase() === 'true',
      forceEncryption: process.env.FORCE_ENCRYPTION?.toLowerCase() === 'true',
      migrateOnAccess: process.env.MIGRATE_ON_ACCESS?.toLowerCase() === 'true'
    });

_⚠️ Potential issue_ **Environment variable parsing is fragile.** The code doesn't validate environment variable values and uses loose comparisons that could lead to unexpected behavior. ```diff await DatabaseEncryption.initialize({ - encryptionEnabled: process.env.ENCRYPTION_ENABLED !== 'false', - forceEncryption: process.env.FORCE_ENCRYPTION === 'true', - migrateOnAccess: process.env.MIGRATE_ON_ACCESS !== 'false' + encryptionEnabled: process.env.ENCRYPTION_ENABLED?.toLowerCase() === 'true', + forceEncryption: process.env.FORCE_ENCRYPTION?.toLowerCase() === 'true', + migrateOnAccess: process.env.MIGRATE_ON_ACCESS?.toLowerCase() === 'true' }); ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion await DatabaseEncryption.initialize({ encryptionEnabled: process.env.ENCRYPTION_ENABLED?.toLowerCase() === 'true', forceEncryption: process.env.FORCE_ENCRYPTION?.toLowerCase() === 'true', migrateOnAccess: process.env.MIGRATE_ON_ACCESS?.toLowerCase() === 'true' }); ``` </details>

src/backend/database/routes/credentials.ts

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Excessive console logging in production endpoints.

The key detection endpoints contain extensive console.log statements that could expose sensitive information in production logs.

Remove or guard console.log statements:

-  console.log("=== Key Detection API Called ===");
-  console.log("Request body keys:", Object.keys(req.body));
-  console.log("Private key provided:", !!privateKey);
-  console.log("Private key type:", typeof privateKey);
+  if (process.env.NODE_ENV === 'development') {
+    console.log("Key detection API called with keys:", Object.keys(req.body));
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

  if (process.env.NODE_ENV === 'development') {
    console.log("Key detection API called with keys:", Object.keys(req.body));
  }

  if (!privateKey || typeof privateKey !== "string") {
    console.log("Invalid private key provided");
    return res.status(400).json({ error: "Private key is required" });
  }

  try {
    console.log("Calling parseSSHKey...");
    const keyInfo = parseSSHKey(privateKey, keyPassword);
    console.log("parseSSHKey result:", keyInfo);

    const response = {
      success: keyInfo.success,
      keyType: keyInfo.keyType,
      detectedKeyType: keyInfo.keyType,
      hasPublicKey: !!keyInfo.publicKey,
      error: keyInfo.error || null
    };

    console.log("Sending response:", response);
    res.json(response);
  } catch (error) {
    console.error("Exception in detect-key-type endpoint:", error);
    authLogger.error("Failed to detect key type", error);
    res.status(500).json({
      error: error instanceof Error ? error.message : "Failed to detect key type"
    });
  }
});

🤖 Prompt for AI Agents

In src/backend/database/routes/credentials.ts around lines 763 to 795, there are
multiple console.log statements that can leak sensitive key material; remove
these console.log calls and replace them with minimal, non-sensitive logging via
the existing logger (e.g. authLogger.debug/info) behind an environment check
(NODE_ENV !== "production" or a dedicated DEBUG flag), never log raw privateKey
or key material (log boolean flags like hasPrivateKey or masked/sanitized
indicators only), and ensure errors use authLogger.error with the error object
but without including secret contents before sending generic error responses to
the client.

_⚠️ Potential issue_ **Excessive console logging in production endpoints.** The key detection endpoints contain extensive console.log statements that could expose sensitive information in production logs. Remove or guard console.log statements: ```diff - console.log("=== Key Detection API Called ==="); - console.log("Request body keys:", Object.keys(req.body)); - console.log("Private key provided:", !!privateKey); - console.log("Private key type:", typeof privateKey); + if (process.env.NODE_ENV === 'development') { + console.log("Key detection API called with keys:", Object.keys(req.body)); + } ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion if (process.env.NODE_ENV === 'development') { console.log("Key detection API called with keys:", Object.keys(req.body)); } if (!privateKey || typeof privateKey !== "string") { console.log("Invalid private key provided"); return res.status(400).json({ error: "Private key is required" }); } try { console.log("Calling parseSSHKey..."); const keyInfo = parseSSHKey(privateKey, keyPassword); console.log("parseSSHKey result:", keyInfo); const response = { success: keyInfo.success, keyType: keyInfo.keyType, detectedKeyType: keyInfo.keyType, hasPublicKey: !!keyInfo.publicKey, error: keyInfo.error || null }; console.log("Sending response:", response); res.json(response); } catch (error) { console.error("Exception in detect-key-type endpoint:", error); authLogger.error("Failed to detect key type", error); res.status(500).json({ error: error instanceof Error ? error.message : "Failed to detect key type" }); } }); ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/routes/credentials.ts around lines 763 to 795, there are multiple console.log statements that can leak sensitive key material; remove these console.log calls and replace them with minimal, non-sensitive logging via the existing logger (e.g. authLogger.debug/info) behind an environment check (NODE_ENV !== "production" or a dedicated DEBUG flag), never log raw privateKey or key material (log boolean flags like hasPrivateKey or masked/sanitized indicators only), and ensure errors use authLogger.error with the error object but without including secret contents before sending generic error responses to the client. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Unsafe grep pattern in key existence check.

Using the key content directly in grep could fail or cause issues with special regex characters.

-          const keyPattern = publicKey.split(' ')[1]; // Get the key part without algorithm
-          conn.exec(`grep -q "${keyPattern}" ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => {
+          // Use grep -F for literal string matching
+          const keyPattern = publicKey.split(' ')[1];
+          const escapedPattern = keyPattern.replace(/[[\]{}()*+?.\\^$|]/g, '\\$&');
+          conn.exec(`grep -qF "${escapedPattern}" ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

// Use grep -F with proper shell quoting of the pattern
const keyPattern = publicKey.split(' ')[1]; // Get the key part without algorithm
const safePattern = keyPattern.replace(/'/g, "'\\''"); // escape single quotes for safe single-quoting
conn.exec(`grep -qF -- '${safePattern}' ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => {

🤖 Prompt for AI Agents

In src/backend/database/routes/credentials.ts around lines 1157-1158, the code
injects the raw key content into a shell grep command which is unsafe for
regex/shell metacharacters and can cause failures or injections; replace this
with a literal search (e.g., use grep -F -q with the key as a single argument)
or, even better, avoid shell interpolation entirely by reading
~/.ssh/authorized_keys in Node and checking for the key with a literal string
comparison (or use child_process.execFile/spawn with the key passed as an
argument) so the key is treated as data, not a regex or shell code.

_⚠️ Potential issue_ **Unsafe grep pattern in key existence check.** Using the key content directly in grep could fail or cause issues with special regex characters. ```diff - const keyPattern = publicKey.split(' ')[1]; // Get the key part without algorithm - conn.exec(`grep -q "${keyPattern}" ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => { + // Use grep -F for literal string matching + const keyPattern = publicKey.split(' ')[1]; + const escapedPattern = keyPattern.replace(/[[\]{}()*+?.\\^$|]/g, '\\$&'); + conn.exec(`grep -qF "${escapedPattern}" ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => { ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion // Use grep -F with proper shell quoting of the pattern const keyPattern = publicKey.split(' ')[1]; // Get the key part without algorithm const safePattern = keyPattern.replace(/'/g, "'\\''"); // escape single quotes for safe single-quoting conn.exec(`grep -qF -- '${safePattern}' ~/.ssh/authorized_keys 2>/dev/null`, (err, stream) => { ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/routes/credentials.ts around lines 1157-1158, the code injects the raw key content into a shell grep command which is unsafe for regex/shell metacharacters and can cause failures or injections; replace this with a literal search (e.g., use grep -F -q with the key as a single argument) or, even better, avoid shell interpolation entirely by reading ~/.ssh/authorized_keys in Node and checking for the key with a literal string comparison (or use child_process.execFile/spawn with the key passed as an argument) so the key is treated as data, not a regex or shell code. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Command injection vulnerability in SSH key deployment.

The public key is directly interpolated into shell commands without proper escaping, which could allow command injection.

The current escaping only handles single quotes but not other shell metacharacters:

-          const escapedKey = publicKey.replace(/'/g, "'\\''");
-          conn.exec(`echo '${escapedKey}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys`, (err, stream) => {
+          // Use SFTP to write the key safely without shell interpretation
+          conn.sftp((err, sftp) => {
+            if (err) return rejectAdd(err);
+            const stream = sftp.createWriteStream('~/.ssh/authorized_keys', { flags: 'a', mode: 0o600 });
+            stream.write(publicKey + '\n');
+            stream.end(() => resolveAdd());
+          });

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/backend/database/routes/credentials.ts around lines 1175-1176, the code
interpolates the publicKey into a shell command leading to possible command
injection; instead, validate and sanitize the key (ensure it matches an accepted
SSH public key pattern, strip newlines/whitespace), then avoid embedding it in a
shell command by using the SSH2 SFTP API (conn.sftp()) to safely create/ensure
~/.ssh exists with 0700, open or create ~/.ssh/authorized_keys, append the
validated key with a trailing newline, and set authorized_keys to 0600; if SFTP
isn’t available, use a safe remote API that writes raw bytes (not shell
interpolation) or execute a single quoted ssh-escaped printf via a parameterized
exec helper that does not allow shell expansion.

_⚠️ Potential issue_ **Command injection vulnerability in SSH key deployment.** The public key is directly interpolated into shell commands without proper escaping, which could allow command injection. The current escaping only handles single quotes but not other shell metacharacters: ```diff - const escapedKey = publicKey.replace(/'/g, "'\\''"); - conn.exec(`echo '${escapedKey}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys`, (err, stream) => { + // Use SFTP to write the key safely without shell interpretation + conn.sftp((err, sftp) => { + if (err) return rejectAdd(err); + const stream = sftp.createWriteStream('~/.ssh/authorized_keys', { flags: 'a', mode: 0o600 }); + stream.write(publicKey + '\n'); + stream.end(() => resolveAdd()); + }); ``` > Committable suggestion skipped: line range outside the PR's diff. <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/routes/credentials.ts around lines 1175-1176, the code interpolates the publicKey into a shell command leading to possible command injection; instead, validate and sanitize the key (ensure it matches an accepted SSH public key pattern, strip newlines/whitespace), then avoid embedding it in a shell command by using the SSH2 SFTP API (conn.sftp()) to safely create/ensure ~/.ssh exists with 0700, open or create ~/.ssh/authorized_keys, append the validated key with a trailing newline, and set authorized_keys to 0600; if SFTP isn’t available, use a safe remote API that writes raw bytes (not shell interpolation) or execute a single quoted ssh-escaped printf via a parameterized exec helper that does not allow shell expansion. ``` </details>

src/backend/database/routes/ssh.ts

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Only this endpoint uses the encryption wrapper; other routes still bypass it (plaintext risk + broken reads)

Reads/writes elsewhere (GET /db/host, GET /db/host/:id, create/update/bulk-import, resolveHostCredentials) still use direct db.* calls. That will (a) persist secrets in plaintext and (b) return ciphertext for encrypted fields. Route all ssh_data and ssh_credentials operations through EncryptedDBOperations.

Apply patterns like below across the file:

- const data = await db.select().from(sshData).where(eq(sshData.userId, userId));
+ const data = await EncryptedDBOperations.select(
+   db.select().from(sshData).where(eq(sshData.userId, userId)),
+   'ssh_data'
+);

- const data = await db.select().from(sshData)
-   .where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId)));
+ const data = await EncryptedDBOperations.select(
+   db.select().from(sshData)
+     .where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId))),
+   'ssh_data'
+);

- const credentials = await db.select().from(sshCredentials).where(...);
+ const credentials = await EncryptedDBOperations.select(
+   db.select().from(sshCredentials).where(...),
+   'ssh_credentials'
+);

If EncryptedDBOperations exposes insert/update helpers, use them for create/update/bulk-import; otherwise encrypt/decrypt via the provided field helpers before persisting/after reading.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    const data = await EncryptedDBOperations.select(
      db.select().from(sshData),
      'ssh_data'
    );

🤖 Prompt for AI Agents

In src/backend/database/routes/ssh.ts around lines 66-69, the review notes only
this endpoint uses EncryptedDBOperations while other routes still call db.*
directly; update all routes that read/write ssh_data and ssh_credentials (GET
/db/host, GET /db/host/:id, create/update/bulk-import, resolveHostCredentials
and any other db.* usage in this file) to go through EncryptedDBOperations so
secrets are not stored or returned in plaintext. For each
create/update/bulk-import use the EncryptedDBOperations insert/update helpers if
available; otherwise call the provided field-level encrypt helpers before
persisting and decrypt helpers after reads; replace direct
db.select/db.insert/db.update calls with the corresponding encrypted wrapper
calls and ensure query parameters and returned shapes match existing API.

_⚠️ Potential issue_ **Only this endpoint uses the encryption wrapper; other routes still bypass it (plaintext risk + broken reads)** Reads/writes elsewhere (GET /db/host, GET /db/host/:id, create/update/bulk-import, resolveHostCredentials) still use direct db.* calls. That will (a) persist secrets in plaintext and (b) return ciphertext for encrypted fields. Route all ssh_data and ssh_credentials operations through EncryptedDBOperations. Apply patterns like below across the file: ```diff - const data = await db.select().from(sshData).where(eq(sshData.userId, userId)); + const data = await EncryptedDBOperations.select( + db.select().from(sshData).where(eq(sshData.userId, userId)), + 'ssh_data' +); - const data = await db.select().from(sshData) - .where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId))); + const data = await EncryptedDBOperations.select( + db.select().from(sshData) + .where(and(eq(sshData.id, Number(hostId)), eq(sshData.userId, userId))), + 'ssh_data' +); - const credentials = await db.select().from(sshCredentials).where(...); + const credentials = await EncryptedDBOperations.select( + db.select().from(sshCredentials).where(...), + 'ssh_credentials' +); ``` If EncryptedDBOperations exposes insert/update helpers, use them for create/update/bulk-import; otherwise encrypt/decrypt via the provided field helpers before persisting/after reading.  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion const data = await EncryptedDBOperations.select( db.select().from(sshData), 'ssh_data' ); ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/database/routes/ssh.ts around lines 66-69, the review notes only this endpoint uses EncryptedDBOperations while other routes still call db.* directly; update all routes that read/write ssh_data and ssh_credentials (GET /db/host, GET /db/host/:id, create/update/bulk-import, resolveHostCredentials and any other db.* usage in this file) to go through EncryptedDBOperations so secrets are not stored or returned in plaintext. For each create/update/bulk-import use the EncryptedDBOperations insert/update helpers if available; otherwise call the provided field-level encrypt helpers before persisting and decrypt helpers after reads; replace direct db.select/db.insert/db.update calls with the corresponding encrypted wrapper calls and ensure query parameters and returned shapes match existing API. ``` </details>

src/backend/utils/encrypted-db-operations.ts

						
				@@ -0,0 +104,4 @@

				        table: tableName

				      });

				      throw error;

				    }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Update() returns encrypted rows; decrypt before returning.

Inconsistent with insert()/select(); callers will get ciphertext.

Apply this diff:

-      const result = await db.update(table).set(encryptedData).where(where).returning();
+      const result = await db.update(table).set(encryptedData).where(where).returning();
+      const decrypted = DatabaseEncryption.decryptRecords(tableName, result);
...
-      return result as T[];
+      return decrypted as T[];

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

  static async update<T extends Record<string, any>>(
    table: SQLiteTable<any>,
    tableName: TableName,
    where: any,
    data: Partial<T>
  ): Promise<T[]> {
    try {
      const encryptedData = DatabaseEncryption.encryptRecord(tableName, data);
      const result = await db.update(table).set(encryptedData).where(where).returning();
      const decrypted = DatabaseEncryption.decryptRecords(tableName, result);

      databaseLogger.debug(`Updated encrypted record in ${tableName}`, {
        operation: 'encrypted_update',
        table: tableName
      });

      return decrypted as T[];
    } catch (error) {
      databaseLogger.error(`Failed to update encrypted record in ${tableName}`, error, {
        operation: 'encrypted_update_failed',
        table: tableName
      });
      throw error;
    }
  }

🤖 Prompt for AI Agents

In src/backend/utils/encrypted-db-operations.ts around lines 85 to 107, update()
currently returns ciphertext rows; decrypt the returned rows before returning to
match insert()/select() behavior. After receiving result from
db.update(...).returning(), map over each returned row and call
DatabaseEncryption.decryptRecord(tableName, row) (handle null/undefined safely)
and return the decrypted array (cast to T[]); keep the existing logs and error
handling unchanged.

_⚠️ Potential issue_ **Update() returns encrypted rows; decrypt before returning.** Inconsistent with insert()/select(); callers will get ciphertext. Apply this diff: ```diff - const result = await db.update(table).set(encryptedData).where(where).returning(); + const result = await db.update(table).set(encryptedData).where(where).returning(); + const decrypted = DatabaseEncryption.decryptRecords(tableName, result); ... - return result as T[]; + return decrypted as T[]; ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion static async update<T extends Record<string, any>>( table: SQLiteTable<any>, tableName: TableName, where: any, data: Partial<T> ): Promise<T[]> { try { const encryptedData = DatabaseEncryption.encryptRecord(tableName, data); const result = await db.update(table).set(encryptedData).where(where).returning(); const decrypted = DatabaseEncryption.decryptRecords(tableName, result); databaseLogger.debug(`Updated encrypted record in ${tableName}`, { operation: 'encrypted_update', table: tableName }); return decrypted as T[]; } catch (error) { databaseLogger.error(`Failed to update encrypted record in ${tableName}`, error, { operation: 'encrypted_update_failed', table: tableName }); throw error; } } ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encrypted-db-operations.ts around lines 85 to 107, update() currently returns ciphertext rows; decrypt the returned rows before returning to match insert()/select() behavior. After receiving result from db.update(...).returning(), map over each returned row and call DatabaseEncryption.decryptRecord(tableName, row) (handle null/undefined safely) and return the decrypted array (cast to T[]); keep the existing logs and error handling unchanged. ``` </details>

src/backend/utils/encryption-key-manager.ts

						
				@@ -0,0 +78,4 @@

				        await this.storeKey(environmentKey);

				        this.currentKey = environmentKey;

				        return environmentKey;

				      }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Env key validation rejects strong hex keys; accept 64‑hex or derive from passphrases.

As written, validateKeyStrength flags a cryptographically strong hex key like openssl rand -hex 32 as “too weak” (no specials/upper), causing env keys to be rejected. This contradicts SECURITY.md and will confuse operators.

Action:

Treat 64‑hex (32 bytes) as valid outright.
Optionally allow non‑hex passphrases by KDF→32‑byte key (PBKDF2/HKDF) or explicitly require hex.

Patch (minimal, hex‑first):

   private validateKeyStrength(key: string): boolean {
-    if (key.length < 32) return false;
+    // Accept canonical 32-byte hex keys (recommended)
+    if (/^[a-fA-F0-9]{64}$/.test(key)) return true;
+    if (key.length < 32) return false;
 
     const hasLower = /[a-z]/.test(key);
     const hasUpper = /[A-Z]/.test(key);
     const hasDigit = /\d/.test(key);
     const hasSpecial = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(key);
 
-    const entropyTest = new Set(key).size / key.length;
-
     const complexity = Number(hasLower) + Number(hasUpper) + Number(hasDigit) + Number(hasSpecial);
-    return complexity >= 3 && entropyTest > 0.4;
+    // Heuristic for non-hex passphrases
+    const entropyTest = new Set(key).size / key.length;
+    return complexity >= 3 && entropyTest > 0.4;
   }

If you want KDF support for non‑hex env keys, I can add PBKDF2+HKDF here to normalize to 32 bytes.

Also applies to: 250-262

_⚠️ Potential issue_ **Env key validation rejects strong hex keys; accept 64‑hex or derive from passphrases.** As written, `validateKeyStrength` flags a cryptographically strong hex key like `openssl rand -hex 32` as “too weak” (no specials/upper), causing env keys to be rejected. This contradicts SECURITY.md and will confuse operators. Action: - Treat 64‑hex (32 bytes) as valid outright. - Optionally allow non‑hex passphrases by KDF→32‑byte key (PBKDF2/HKDF) or explicitly require hex. Patch (minimal, hex‑first): ```diff private validateKeyStrength(key: string): boolean { - if (key.length < 32) return false; + // Accept canonical 32-byte hex keys (recommended) + if (/^[a-fA-F0-9]{64}$/.test(key)) return true; + if (key.length < 32) return false; const hasLower = /[a-z]/.test(key); const hasUpper = /[A-Z]/.test(key); const hasDigit = /\d/.test(key); const hasSpecial = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(key); - const entropyTest = new Set(key).size / key.length; - const complexity = Number(hasLower) + Number(hasUpper) + Number(hasDigit) + Number(hasSpecial); - return complexity >= 3 && entropyTest > 0.4; + // Heuristic for non-hex passphrases + const entropyTest = new Set(key).size / key.length; + return complexity >= 3 && entropyTest > 0.4; } ``` If you want KDF support for non‑hex env keys, I can add PBKDF2+HKDF here to normalize to 32 bytes. Also applies to: 250-262

src/backend/utils/encryption-key-manager.ts

						
				@@ -0,0 +111,4 @@

				    });

				    return newKey;

				  }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Store updates should be atomic; wrap dual settings writes in a transaction.

db_encryption_key and encryption_key_created are updated separately; partial failure can desync metadata.

Suggest using a Drizzle transaction:

-  try {
-      const existing = await db.select().from(settings)...
+  try {
+    await db.transaction(async (tx) => {
+      const existing = await tx.select().from(settings).where(eq(settings.key, 'db_encryption_key'));
+      if (existing.length > 0) {
+        await tx.update(settings).set({ value: encodedData }).where(eq(settings.key, 'db_encryption_key'));
+      } else {
+        await tx.insert(settings).values({ key: 'db_encryption_key', value: encodedData });
+      }
+      const existingCreated = await tx.select().from(settings).where(eq(settings.key, 'encryption_key_created'));
+      if (existingCreated.length > 0) {
+        await tx.update(settings).set({ value: now }).where(eq(settings.key, 'encryption_key_created'));
+      } else {
+        await tx.insert(settings).values({ key: 'encryption_key_created', value: now });
+      }
+    });

Also applies to: 116-169

🤖 Prompt for AI Agents

In src/backend/utils/encryption-key-manager.ts around lines 100-114 (and
likewise for 116-169) the code writes the key value and the creation metadata in
separate operations which can leave store state inconsistent on partial failure;
change the implementation to perform both writes inside a single Drizzle
transaction (use the project's Drizzle transaction/runInTransaction API), write
db_encryption_key and encryption_key_created as part of the same transaction,
commit only on success, roll back on error, and only assign this.currentKey
after the transaction commits; apply the same transactional fix to the other
update block at lines 116-169.

_⚠️ Potential issue_ **Store updates should be atomic; wrap dual settings writes in a transaction.** `db_encryption_key` and `encryption_key_created` are updated separately; partial failure can desync metadata. Suggest using a Drizzle transaction: ```diff - try { - const existing = await db.select().from(settings)... + try { + await db.transaction(async (tx) => { + const existing = await tx.select().from(settings).where(eq(settings.key, 'db_encryption_key')); + if (existing.length > 0) { + await tx.update(settings).set({ value: encodedData }).where(eq(settings.key, 'db_encryption_key')); + } else { + await tx.insert(settings).values({ key: 'db_encryption_key', value: encodedData }); + } + const existingCreated = await tx.select().from(settings).where(eq(settings.key, 'encryption_key_created')); + if (existingCreated.length > 0) { + await tx.update(settings).set({ value: now }).where(eq(settings.key, 'encryption_key_created')); + } else { + await tx.insert(settings).values({ key: 'encryption_key_created', value: now }); + } + }); ``` Also applies to: 116-169 <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encryption-key-manager.ts around lines 100-114 (and likewise for 116-169) the code writes the key value and the creation metadata in separate operations which can leave store state inconsistent on partial failure; change the implementation to perform both writes inside a single Drizzle transaction (use the project's Drizzle transaction/runInTransaction API), write db_encryption_key and encryption_key_created as part of the same transaction, commit only on success, roll back on error, and only assign this.currentKey after the transaction commits; apply the same transactional fix to the other update block at lines 116-169. ``` </details>

src/backend/utils/encryption-key-manager.ts

						
				@@ -0,0 +213,4 @@

				      });

				      return null;

				    }

				  }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:56 +00:00

⚠️ Potential issue

Don’t auto‑generate a new key on read/parse failure; fail fast to prevent data loss.

getStoredKey() returns null on any error, causing initializeKey() to generate a fresh key—breaking decryption of existing data.

Make getStoredKey() return null only when the setting is absent; throw on parse/decrypt errors so initialization fails instead of rotating the key silently.

   private async getStoredKey(): Promise<string | null> {
     try {
       const result = await db.select().from(settings).where(eq(settings.key, 'db_encryption_key'));
 
       if (result.length === 0) {
         return null;
       }
@@
-    } catch (error) {
-      databaseLogger.error('Failed to retrieve stored encryption key', error, {
-        operation: 'key_retrieve_failed'
-      });
-      return null;
-    }
+    } catch (error) {
+      databaseLogger.error('Failed to retrieve stored encryption key', error, {
+        operation: 'key_retrieve_failed'
+      });
+      throw error; // Fail fast; do not generate a new key.
+    }
   }

Also applies to: 45-61

_⚠️ Potential issue_ **Don’t auto‑generate a new key on read/parse failure; fail fast to prevent data loss.** `getStoredKey()` returns `null` on any error, causing `initializeKey()` to generate a fresh key—breaking decryption of existing data. Make `getStoredKey()` return `null` only when the setting is absent; throw on parse/decrypt errors so initialization fails instead of rotating the key silently. ```diff private async getStoredKey(): Promise<string | null> { try { const result = await db.select().from(settings).where(eq(settings.key, 'db_encryption_key')); if (result.length === 0) { return null; } @@ - } catch (error) { - databaseLogger.error('Failed to retrieve stored encryption key', error, { - operation: 'key_retrieve_failed' - }); - return null; - } + } catch (error) { + databaseLogger.error('Failed to retrieve stored encryption key', error, { + operation: 'key_retrieve_failed' + }); + throw error; // Fail fast; do not generate a new key. + } } ``` Also applies to: 45-61

src/backend/utils/encryption-migration.ts

						
				@@ -0,0 +84,4 @@

				    // Validate key strength

				    if (this.config.masterPassword.length < 16) {

				      throw new Error('Master password must be at least 16 characters long');

				    }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Weak password strength validation.

The migration only checks for minimum length of 16 characters but doesn't validate entropy or complexity, which could allow weak passwords like "aaaaaaaaaaaaaaaa".

Consider implementing proper password strength validation using a library like zxcvbn or implementing entropy checks.

🤖 Prompt for AI Agents

In src/backend/utils/encryption-migration.ts around lines 85 to 87, the current
check only enforces a 16-character minimum which allows low-entropy passwords;
replace this with a proper strength check (e.g., integrate zxcvbn or an entropy
calculation) and reject passwords that do not meet a minimum strength threshold.
Specifically, import and call zxcvbn (or compute entropy) on
this.config.masterPassword, require a zxcvbn score >= 3 (or equivalent entropy
bits threshold), and throw a descriptive Error if the score/entropy is too low;
keep the length check as a quick gate but rely on the strength result for final
validation and update any unit tests or error messages accordingly.

_⚠️ Potential issue_ **Weak password strength validation.** The migration only checks for minimum length of 16 characters but doesn't validate entropy or complexity, which could allow weak passwords like "aaaaaaaaaaaaaaaa". Consider implementing proper password strength validation using a library like zxcvbn or implementing entropy checks. <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encryption-migration.ts around lines 85 to 87, the current check only enforces a 16-character minimum which allows low-entropy passwords; replace this with a proper strength check (e.g., integrate zxcvbn or an entropy calculation) and reject passwords that do not meet a minimum strength threshold. Specifically, import and call zxcvbn (or compute entropy) on this.config.masterPassword, require a zxcvbn score >= 3 (or equivalent entropy bits threshold), and throw a descriptive Error if the score/entropy is too low; keep the length check as a quick gate but rely on the strength result for final validation and update any unit tests or error messages accordingly. ``` </details>

src/backend/utils/encryption-migration.ts

						
				@@ -0,0 +112,4 @@

				      const backupPath = path.join(dataDir, `db-backup-${Date.now()}.sqlite`);

				      if (fs.existsSync(dbPath)) {

				        fs.copyFileSync(dbPath, backupPath);

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Use of synchronous file operations blocks the event loop.

Using fs.existsSync and fs.copyFileSync in an async function blocks the Node.js event loop, which could impact server performance during migration.

-      if (fs.existsSync(dbPath)) {
-        fs.copyFileSync(dbPath, backupPath);
+      if (await fs.promises.access(dbPath).then(() => true).catch(() => false)) {
+        await fs.promises.copyFile(dbPath, backupPath);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      if (await fs.promises.access(dbPath).then(() => true).catch(() => false)) {
        await fs.promises.copyFile(dbPath, backupPath);

🤖 Prompt for AI Agents

In src/backend/utils/encryption-migration.ts around lines 114-115, replace the
blocking fs.existsSync and fs.copyFileSync calls with their async equivalents:
check existence using fs.promises.access (or fs.promises.stat) and copy using
await fs.promises.copyFile, and wrap both operations in a try/catch to surface
and handle errors; ensure you await the promise so the function completes only
after the copy and propagate or log failures appropriately.

_⚠️ Potential issue_ **Use of synchronous file operations blocks the event loop.** Using `fs.existsSync` and `fs.copyFileSync` in an async function blocks the Node.js event loop, which could impact server performance during migration. ```diff - if (fs.existsSync(dbPath)) { - fs.copyFileSync(dbPath, backupPath); + if (await fs.promises.access(dbPath).then(() => true).catch(() => false)) { + await fs.promises.copyFile(dbPath, backupPath); ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion if (await fs.promises.access(dbPath).then(() => true).catch(() => false)) { await fs.promises.copyFile(dbPath, backupPath); ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encryption-migration.ts around lines 114-115, replace the blocking fs.existsSync and fs.copyFileSync calls with their async equivalents: check existence using fs.promises.access (or fs.promises.stat) and copy using await fs.promises.copyFile, and wrap both operations in a try/catch to surface and handle errors; ensure you await the promise so the function completes only after the copy and propagate or log failures appropriately. ``` </details>

src/backend/utils/encryption-migration.ts

						
				@@ -0,0 +389,4 @@

				      console.error('Migration failed:', error.message);

				      process.exit(1);

				    });

				}

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Script execution security concern.

When run as a CLI script, it reads sensitive encryption keys from environment variables which could be logged or exposed in process listings.

Consider reading the master password from a secure file or stdin instead of environment variables:

-    masterPassword: process.env.DB_ENCRYPTION_KEY,
+    // Read from stdin or secure file to avoid exposure in process list
+    masterPassword: await readPasswordFromSecureSource(),

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/backend/utils/encryption-migration.ts around lines 373 to 392, the CLI
currently reads the master password from process.env which risks exposure;
change the startup flow to accept the master password via a secure input
mechanism (prefer a --key-file path or read from stdin with a hidden prompt)
instead of environment variables, validate the key-file exists and has strict
permissions, avoid logging or printing the secret anywhere, ensure any in-memory
buffers are zeroed or overwritten after use, and update the config construction
to pull masterPassword from the secure input (with a documented fallback
behavior) rather than process.env.DB_ENCRYPTION_KEY.

_⚠️ Potential issue_ **Script execution security concern.** When run as a CLI script, it reads sensitive encryption keys from environment variables which could be logged or exposed in process listings. Consider reading the master password from a secure file or stdin instead of environment variables: ```diff - masterPassword: process.env.DB_ENCRYPTION_KEY, + // Read from stdin or secure file to avoid exposure in process list + masterPassword: await readPasswordFromSecureSource(), ``` > Committable suggestion skipped: line range outside the PR's diff. <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encryption-migration.ts around lines 373 to 392, the CLI currently reads the master password from process.env which risks exposure; change the startup flow to accept the master password via a secure input mechanism (prefer a --key-file path or read from stdin with a hidden prompt) instead of environment variables, validate the key-file exists and has strict permissions, avoid logging or printing the secret anywhere, ensure any in-memory buffers are zeroed or overwritten after use, and update the config construction to pull masterPassword from the secure input (with a documented fallback behavior) rather than process.env.DB_ENCRYPTION_KEY. ``` </details>

src/backend/utils/encryption.ts

						
				@@ -0,0 +38,4 @@

				    } catch {

				      return false;

				    }

				  }

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

🛠️ Refactor suggestion

isEncrypted() can misclassify valid ciphertexts (empty data).

Encrypted empty strings produce empty ciphertext chunks but a valid tag/iv. Current truthiness check rejects those.

Apply this diff:

-  static isEncrypted(value: string | null): boolean {
+  static isEncrypted(value: string | null): boolean {
     if (!value) return false;
     try {
       const parsed = JSON.parse(value);
-      return !!(parsed.data && parsed.iv && parsed.tag);
+      return parsed && typeof parsed === 'object'
+        && typeof parsed.iv === 'string' && parsed.iv.length > 0
+        && typeof parsed.tag === 'string' && parsed.tag.length > 0
+        && Object.prototype.hasOwnProperty.call(parsed, 'data');
     } catch {
       return false;
     }
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

  static isEncrypted(value: string | null): boolean {
    if (!value) return false;
    try {
      const parsed = JSON.parse(value);
      return parsed && typeof parsed === 'object'
        && typeof parsed.iv === 'string' && parsed.iv.length > 0
        && typeof parsed.tag === 'string' && parsed.tag.length > 0
        && Object.prototype.hasOwnProperty.call(parsed, 'data');
    } catch {
      return false;
    }
  }

🤖 Prompt for AI Agents

In src/backend/utils/encryption.ts around lines 33 to 41, isEncrypted currently
uses truthiness checks that reject valid ciphertexts with empty data; update the
checks to parse the JSON then verify the parsed value is an object that has the
'data' property (allow empty string), and that 'iv' and 'tag' exist as non-empty
strings (e.g. use hasOwnProperty('data') plus typeof parsed.iv === 'string' &&
parsed.iv.length > 0 and typeof parsed.tag === 'string' && parsed.tag.length >
0), returning true only when those conditions hold and false on parse errors.

_🛠️ Refactor suggestion_ **isEncrypted() can misclassify valid ciphertexts (empty data).** Encrypted empty strings produce empty ciphertext chunks but a valid tag/iv. Current truthiness check rejects those. Apply this diff: ```diff - static isEncrypted(value: string | null): boolean { + static isEncrypted(value: string | null): boolean { if (!value) return false; try { const parsed = JSON.parse(value); - return !!(parsed.data && parsed.iv && parsed.tag); + return parsed && typeof parsed === 'object' + && typeof parsed.iv === 'string' && parsed.iv.length > 0 + && typeof parsed.tag === 'string' && parsed.tag.length > 0 + && Object.prototype.hasOwnProperty.call(parsed, 'data'); } catch { return false; } } ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion static isEncrypted(value: string | null): boolean { if (!value) return false; try { const parsed = JSON.parse(value); return parsed && typeof parsed === 'object' && typeof parsed.iv === 'string' && parsed.iv.length > 0 && typeof parsed.tag === 'string' && parsed.tag.length > 0 && Object.prototype.hasOwnProperty.call(parsed, 'data'); } catch { return false; } } ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/encryption.ts around lines 33 to 41, isEncrypted currently uses truthiness checks that reject valid ciphertexts with empty data; update the checks to parse the JSON then verify the parsed value is an object that has the 'data' property (allow empty string), and that 'iv' and 'tag' exist as non-empty strings (e.g. use hasOwnProperty('data') plus typeof parsed.iv === 'string' && parsed.iv.length > 0 and typeof parsed.tag === 'string' && parsed.tag.length > 0), returning true only when those conditions hold and false on parse errors. ``` </details>

src/backend/utils/master-key-protection.ts

						
				@@ -0,0 +16,4 @@

				  private static readonly VERSION = 'v1';

				  private static readonly KEK_SALT = 'termix-kek-salt-v1';

				  private static readonly KEK_ITERATIONS = 50000;

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Align KEK iteration count with PR spec (100,000).

Spec says PBKDF2 + HKDF with 100k iterations. This class uses PBKDF2 with 50k and no HKDF.

Apply this diff (and consider adding HKDF if required by your threat model):

-  private static readonly KEK_ITERATIONS = 50000;
+  private static readonly KEK_ITERATIONS = 100000;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

  private static readonly KEK_SALT = 'termix-kek-salt-v1';
  private static readonly KEK_ITERATIONS = 100000;

🤖 Prompt for AI Agents

In src/backend/utils/master-key-protection.ts around lines 17 to 19, the KEK
iteration count and derivation method are out of spec: change KEK_ITERATIONS
from 50000 to 100000 and implement PBKDF2 followed by HKDF per spec;
specifically, derive an intermediate key using PBKDF2(password, KEK_SALT,
iterations=100000, desiredLength), then run HKDF-Extract and HKDF-Expand (with
an appropriate info/context string) to produce the final KEK of the required
length, replacing the current single-PBKDF2 path, or at minimum update the
constant to 100000 and add a TODO/comment to implement HKDF if full
implementation cannot be done immediately.

_⚠️ Potential issue_ **Align KEK iteration count with PR spec (100,000).** Spec says PBKDF2 + HKDF with 100k iterations. This class uses PBKDF2 with 50k and no HKDF. Apply this diff (and consider adding HKDF if required by your threat model): ```diff - private static readonly KEK_ITERATIONS = 50000; + private static readonly KEK_ITERATIONS = 100000; ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion private static readonly KEK_SALT = 'termix-kek-salt-v1'; private static readonly KEK_ITERATIONS = 100000; ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/master-key-protection.ts around lines 17 to 19, the KEK iteration count and derivation method are out of spec: change KEK_ITERATIONS from 50000 to 100000 and implement PBKDF2 followed by HKDF per spec; specifically, derive an intermediate key using PBKDF2(password, KEK_SALT, iterations=100000, desiredLength), then run HKDF-Extract and HKDF-Expand (with an appropriate info/context string) to produce the final KEK of the required length, replacing the current single-PBKDF2 path, or at minimum update the constant to 100000 and add a TODO/comment to implement HKDF if full implementation cannot be done immediately. ``` </details>

src/backend/utils/master-key-protection.ts

						
				@@ -0,0 +26,4 @@

				        process.cwd(),

				        this.getFileSystemFingerprint(),

				        this.getNetworkFingerprint()

				      ];

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Unstable device fingerprint risks permanent lock‑out.

Including values like hostname and process.cwd() makes the KEK drift across reboots/deploys/paths. Users could lose access after benign changes.

Remove process.cwd() and hostname; prefer stable identifiers (e.g., machine-id, volume UUID) with fallbacks.
Cache the fingerprint once (persisted) to avoid recomputation drift.
Example minimal change:

-        os.hostname(),
         os.platform(),
         os.arch(),
-        process.cwd(),
         this.getFileSystemFingerprint(),
         this.getNetworkFingerprint()

Would you like me to propose a machine-id based variant?

Also applies to: 31-47

🤖 Prompt for AI Agents

In src/backend/utils/master-key-protection.ts around lines 20-29 (and similarly
31-47), the current device fingerprint uses unstable values (hostname,
process.cwd()) that can change and permanently alter the KEK; remove hostname
and process.cwd() from the features array, replace them with stable identifiers
such as machine-id or volume UUID with sensible fallbacks (e.g., MAC,
OS-specific machine-id files), and implement a one-time persisted cache for the
computed fingerprint (write to a local file or secure store) so the fingerprint
is stable across reboots/deploys and not recomputed each run.

_⚠️ Potential issue_ **Unstable device fingerprint risks permanent lock‑out.** Including values like hostname and process.cwd() makes the KEK drift across reboots/deploys/paths. Users could lose access after benign changes. - Remove process.cwd() and hostname; prefer stable identifiers (e.g., machine-id, volume UUID) with fallbacks. - Cache the fingerprint once (persisted) to avoid recomputation drift. Example minimal change: ```diff - os.hostname(), os.platform(), os.arch(), - process.cwd(), this.getFileSystemFingerprint(), this.getNetworkFingerprint() ``` Would you like me to propose a machine-id based variant? Also applies to: 31-47 <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/master-key-protection.ts around lines 20-29 (and similarly 31-47), the current device fingerprint uses unstable values (hostname, process.cwd()) that can change and permanently alter the KEK; remove hostname and process.cwd() from the features array, replace them with stable identifiers such as machine-id or volume UUID with sensible fallbacks (e.g., MAC, OS-specific machine-id files), and implement a one-time persisted cache for the computed fingerprint (write to a local file or secure store) so the fingerprint is stable across reboots/deploys and not recomputed each run. ``` </details>

src/backend/utils/master-key-protection.ts

						
				@@ -0,0 +112,4 @@

				      let encrypted = cipher.update(masterKey, 'hex', 'hex');

				      encrypted += cipher.final('hex');

				      const tag = cipher.getAuthTag();

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Incorrect cipher encodings (encrypt/decrypt will corrupt non‑hex keys).

You’re treating the plaintext master key as hex on both encrypt and decrypt. If the key is a regular string (e.g., from env), it will break.

Apply this diff:

-      let encrypted = cipher.update(masterKey, 'hex', 'hex');
+      let encrypted = cipher.update(masterKey, 'utf8', 'hex');
       encrypted += cipher.final('hex');
...
-      let decrypted = decipher.update(protectedData.data, 'hex', 'hex');
-      decrypted += decipher.final('hex');
+      let decrypted = decipher.update(protectedData.data, 'hex', 'utf8');
+      decrypted += decipher.final('utf8');

Also applies to: 167-169

🤖 Prompt for AI Agents

In src/backend/utils/master-key-protection.ts around lines 112-115 (and also
lines 167-169), the cipher.update()/final() calls incorrectly treat the
plaintext master key as 'hex' which will corrupt non-hex keys; change the
encrypt path to call cipher.update(masterKey, 'utf8', 'hex') and
cipher.final('hex') (so input is treated as utf8 and output as hex) and change
the decrypt path to call decipher.update(encrypted, 'hex', 'utf8') and
decipher.final('utf8') (so input is hex and output utf8). Ensure the auth tag
usage remains the same.

_⚠️ Potential issue_ **Incorrect cipher encodings (encrypt/decrypt will corrupt non‑hex keys).** You’re treating the plaintext master key as hex on both encrypt and decrypt. If the key is a regular string (e.g., from env), it will break. Apply this diff: ```diff - let encrypted = cipher.update(masterKey, 'hex', 'hex'); + let encrypted = cipher.update(masterKey, 'utf8', 'hex'); encrypted += cipher.final('hex'); ... - let decrypted = decipher.update(protectedData.data, 'hex', 'hex'); - decrypted += decipher.final('hex'); + let decrypted = decipher.update(protectedData.data, 'hex', 'utf8'); + decrypted += decipher.final('utf8'); ``` Also applies to: 167-169 <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/master-key-protection.ts around lines 112-115 (and also lines 167-169), the cipher.update()/final() calls incorrectly treat the plaintext master key as 'hex' which will corrupt non-hex keys; change the encrypt path to call cipher.update(masterKey, 'utf8', 'hex') and cipher.final('hex') (so input is treated as utf8 and output as hex) and change the decrypt path to call decipher.update(encrypted, 'hex', 'utf8') and decipher.final('utf8') (so input is hex and output utf8). Ensure the auth tag usage remains the same. ``` </details>

src/backend/utils/ssh-key-utils.ts

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Critical: Binary string conversion loses data integrity

Converting Buffer to 'binary' string can corrupt the data due to character encoding issues. This could lead to incorrect key type detection.

-      const decoded = Buffer.from(base64Content, 'base64').toString('binary');
+      const decoded = Buffer.from(base64Content, 'base64');

Then search for the key type indicators directly in the Buffer:

-      if (decoded.includes('ssh-rsa')) {
+      if (decoded.includes(Buffer.from('ssh-rsa'))) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      const decoded = Buffer.from(base64Content, 'base64');
      if (decoded.includes(Buffer.from('ssh-rsa'))) {

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 36-37, the code converts the
decoded Buffer to a 'binary' string which can corrupt data; instead keep the
decoded value as a Buffer (const decoded = Buffer.from(base64Content, 'base64'))
and detect key type by searching the Buffer directly (use
Buffer.prototype.includes or indexOf with Buffer.from('ssh-') /
Buffer.from('BEGIN') / other key markers) rather than calling
toString('binary'); update downstream checks to operate on the Buffer or
explicitly decode to 'utf8' only when safe.

_⚠️ Potential issue_ **Critical: Binary string conversion loses data integrity** Converting Buffer to 'binary' string can corrupt the data due to character encoding issues. This could lead to incorrect key type detection. ```diff - const decoded = Buffer.from(base64Content, 'base64').toString('binary'); + const decoded = Buffer.from(base64Content, 'base64'); ``` Then search for the key type indicators directly in the Buffer: ```diff - if (decoded.includes('ssh-rsa')) { + if (decoded.includes(Buffer.from('ssh-rsa'))) { ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion const decoded = Buffer.from(base64Content, 'base64'); if (decoded.includes(Buffer.from('ssh-rsa'))) { ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 36-37, the code converts the decoded Buffer to a 'binary' string which can corrupt data; instead keep the decoded value as a Buffer (const decoded = Buffer.from(base64Content, 'base64')) and detect key type by searching the Buffer directly (use Buffer.prototype.includes or indexOf with Buffer.from('ssh-') / Buffer.from('BEGIN') / other key markers) rather than calling toString('binary'); update downstream checks to operate on the Buffer or explicitly decode to 'utf8' only when safe. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Critical: Binary string conversion issue repeated

Same binary string conversion issue that can corrupt data during PKCS#8 format detection.

       const decoded = Buffer.from(base64Content, 'base64');
-      const decodedString = decoded.toString('binary');
+      // Work directly with the Buffer instead

Search for OIDs directly in the Buffer:

-      if (decodedString.includes('1.2.840.113549.1.1.1')) {
+      // Convert OID string to Buffer for comparison
+      const rsaOid = Buffer.from([0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01]);
+      if (decoded.includes(rsaOid)) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      const decoded = Buffer.from(base64Content, 'base64');
      // Work directly with the Buffer instead

      // Convert OID string to Buffer for comparison
      const rsaOid = Buffer.from([0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01]);
      if (decoded.includes(rsaOid)) {
        // existing handling for RSA OID...
      }

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 83-84 the code decodes base64
into a string using decoded.toString('binary'), which can corrupt binary data
and break PKCS#8 OID detection; instead keep the data as a Buffer and search for
OID byte sequences directly (e.g., use Buffer.indexOf or Buffer.includes with
Buffer.from([ ...OID bytes... ]) to detect the PKCS#8 OID), removing any
toString('binary') conversion and basing the detection on the raw Buffer.

_⚠️ Potential issue_ **Critical: Binary string conversion issue repeated** Same binary string conversion issue that can corrupt data during PKCS#8 format detection. ```diff const decoded = Buffer.from(base64Content, 'base64'); - const decodedString = decoded.toString('binary'); + // Work directly with the Buffer instead ``` Search for OIDs directly in the Buffer: ```diff - if (decodedString.includes('1.2.840.113549.1.1.1')) { + // Convert OID string to Buffer for comparison + const rsaOid = Buffer.from([0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01]); + if (decoded.includes(rsaOid)) { ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion const decoded = Buffer.from(base64Content, 'base64'); // Work directly with the Buffer instead // Convert OID string to Buffer for comparison const rsaOid = Buffer.from([0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01]); if (decoded.includes(rsaOid)) { // existing handling for RSA OID... } ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 83-84 the code decodes base64 into a string using decoded.toString('binary'), which can corrupt binary data and break PKCS#8 OID detection; instead keep the data as a Buffer and search for OID byte sequences directly (e.g., use Buffer.indexOf or Buffer.includes with Buffer.from([ ...OID bytes... ]) to detect the PKCS#8 OID), removing any toString('binary') conversion and basing the detection on the raw Buffer. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:57 +00:00

⚠️ Potential issue

Unreliable key type detection based on content length

Using content length to determine key type is highly unreliable and could lead to incorrect key type identification. Key sizes can vary significantly within the same key type.

Consider removing this fallback or implementing a more robust detection mechanism:

-    // Fallback: Try to detect key type from the content structure
-    // This is a fallback for PKCS#8 format keys
-    if (content.length < 800) {
-      // Ed25519 keys are typically shorter
-      return 'ssh-ed25519';
-    } else if (content.length > 1600) {
-      // RSA keys are typically longer
-      return 'ssh-rsa';
-    } else {
-      // ECDSA keys are typically medium length
-      return 'ecdsa-sha2-nistp256';
-    }
+    // Unable to determine key type from PKCS#8 content
+    return 'unknown';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    // Unable to determine key type from PKCS#8 content
    return 'unknown';

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 108 to 117, the fallback that
infers key type from content.length is unreliable; remove the length-based
heuristics and instead detect the key type from the SSH public key text (split
the content by whitespace and use the first token as the key type when present),
and if that fails, avoid guessing — return null or throw an explicit error (or
implement a proper parser that decodes the base64 blob and inspects key
metadata) so callers can handle unknown types rather than relying on
length-based defaults.

_⚠️ Potential issue_ **Unreliable key type detection based on content length** Using content length to determine key type is highly unreliable and could lead to incorrect key type identification. Key sizes can vary significantly within the same key type. Consider removing this fallback or implementing a more robust detection mechanism: ```diff - // Fallback: Try to detect key type from the content structure - // This is a fallback for PKCS#8 format keys - if (content.length < 800) { - // Ed25519 keys are typically shorter - return 'ssh-ed25519'; - } else if (content.length > 1600) { - // RSA keys are typically longer - return 'ssh-rsa'; - } else { - // ECDSA keys are typically medium length - return 'ecdsa-sha2-nistp256'; - } + // Unable to determine key type from PKCS#8 content + return 'unknown'; ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion // Unable to determine key type from PKCS#8 content return 'unknown'; ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 108 to 117, the fallback that infers key type from content.length is unreliable; remove the length-based heuristics and instead detect the key type from the SSH public key text (split the content by whitespace and use the first token as the key type when present), and if that fails, avoid guessing — return null or throw an explicit error (or implement a proper parser that decodes the base64 blob and inspects key metadata) so callers can handle unknown types rather than relying on length-based defaults. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

⚠️ Potential issue

Critical: Binary string conversion in public key detection

Same issue with binary string conversion that can corrupt data during public key type detection.

       const decoded = Buffer.from(base64Content, 'base64');
-      const decodedString = decoded.toString('binary');
+      // Work directly with the Buffer

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 157-158, the code uses
decoded.toString('binary') which can corrupt data when detecting public key
types; replace the binary encoding with a UTF-8-safe approach (e.g.,
decoded.toString('utf8') or simply decoded.toString()) or avoid converting to a
string entirely and operate on the Buffer (check prefixes like Buffer.compare or
slice to match "ssh-" bytes) so public key detection remains lossless and
accurate.

_⚠️ Potential issue_ **Critical: Binary string conversion in public key detection** Same issue with binary string conversion that can corrupt data during public key type detection. ```diff const decoded = Buffer.from(base64Content, 'base64'); - const decodedString = decoded.toString('binary'); + // Work directly with the Buffer ``` > Committable suggestion skipped: line range outside the PR's diff. <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 157-158, the code uses decoded.toString('binary') which can corrupt data when detecting public key types; replace the binary encoding with a UTF-8-safe approach (e.g., decoded.toString('utf8') or simply decoded.toString()) or avoid converting to a string entirely and operate on the Buffer (check prefixes like Buffer.compare or slice to match "ssh-" bytes) so public key detection remains lossless and accurate. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

⚠️ Potential issue

Unreliable public key type detection based on length

Using content length for public key type detection is unreliable and error-prone.

-    // Fallback: Try to guess based on key length
-    if (content.length < 400) {
-      return 'ssh-ed25519';
-    } else if (content.length > 600) {
-      return 'ssh-rsa';
-    } else {
-      return 'ecdsa-sha2-nistp256';
-    }
+    // Unable to determine public key type from PEM content
+    return 'unknown';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    // Unable to determine public key type from PEM content
    return 'unknown';

_⚠️ Potential issue_ **Unreliable public key type detection based on length** Using content length for public key type detection is unreliable and error-prone. ```diff - // Fallback: Try to guess based on key length - if (content.length < 400) { - return 'ssh-ed25519'; - } else if (content.length > 600) { - return 'ssh-rsa'; - } else { - return 'ecdsa-sha2-nistp256'; - } + // Unable to determine public key type from PEM content + return 'unknown'; ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion // Unable to determine public key type from PEM content return 'unknown'; ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

⚠️ Potential issue

Missing passphrase parameter in detectKeyType function

The detectKeyType function doesn't accept a passphrase parameter, which means it will fail for encrypted keys. This is inconsistent with the parseSSHKey function.

-export function detectKeyType(privateKeyData: string): string {
+export function detectKeyType(privateKeyData: string, passphrase?: string): string {
   try {
-    const parsedKey = ssh2Utils.parseKey(privateKeyData);
+    const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

export function detectKeyType(privateKeyData: string, passphrase?: string): string {
  try {
    const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase);
    if (parsedKey instanceof Error) {
      return 'unknown';
    }
    return parsedKey.type || 'unknown';
  } catch (error) {
    return 'unknown';
  }
}

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 396 to 406, detectKeyType
currently doesn't accept a passphrase so it fails on encrypted keys; change its
signature to accept an optional passphrase parameter (string | Buffer |
undefined) and forward that passphrase into ssh2Utils.parseKey (use the same
call shape as parseSSHKey in this file), preserving the existing Error-instance
and catch handling and returning parsedKey.type || 'unknown' or 'unknown' on
errors. Ensure the function signature and any callers are updated to pass a
passphrase when available.

_⚠️ Potential issue_ **Missing passphrase parameter in detectKeyType function** The `detectKeyType` function doesn't accept a passphrase parameter, which means it will fail for encrypted keys. This is inconsistent with the `parseSSHKey` function. ```diff -export function detectKeyType(privateKeyData: string): string { +export function detectKeyType(privateKeyData: string, passphrase?: string): string { try { - const parsedKey = ssh2Utils.parseKey(privateKeyData); + const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase); ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion export function detectKeyType(privateKeyData: string, passphrase?: string): string { try { const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase); if (parsedKey instanceof Error) { return 'unknown'; } return parsedKey.type || 'unknown'; } catch (error) { return 'unknown'; } } ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 396 to 406, detectKeyType currently doesn't accept a passphrase so it fails on encrypted keys; change its signature to accept an optional passphrase parameter (string | Buffer | undefined) and forward that passphrase into ssh2Utils.parseKey (use the same call shape as parseSSHKey in this file), preserving the existing Error-instance and catch handling and returning parsedKey.type || 'unknown' or 'unknown' on errors. Ensure the function signature and any callers are updated to pass a passphrase when available. ``` </details>

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

⚠️ Potential issue

Misleading validation result when unable to verify

Returning isValid: true when unable to verify the key pair is misleading and could lead to security issues.

   // If we can't generate public key or compare, just check if types match
   return {
-    isValid: true, // Assume valid if types match and no errors
+    isValid: false, // Cannot verify without comparison
     privateKeyType: privateKeyInfo.keyType,
     publicKeyType: publicKeyInfo.keyType,
-    error: 'Unable to verify key pair match, but key types are compatible'
+    error: 'Unable to verify key pair - manual verification required'
   };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      isValid: false, // Cannot verify without comparison
      privateKeyType: privateKeyInfo.keyType,
      publicKeyType: publicKeyInfo.keyType,
      error: 'Unable to verify key pair - manual verification required'
    };

🤖 Prompt for AI Agents

In src/backend/utils/ssh-key-utils.ts around lines 512 to 516, the function
currently returns isValid: true when key types match but actual pair
verification failed, which is misleading; change the result to isValid: false
(or add a separate verified:false field) when you cannot confirm the key pair
match, include the underlying error message or reason in the error property, and
ensure any callers treat this case as a validation failure rather than a
success.

_⚠️ Potential issue_ **Misleading validation result when unable to verify** Returning `isValid: true` when unable to verify the key pair is misleading and could lead to security issues. ```diff // If we can't generate public key or compare, just check if types match return { - isValid: true, // Assume valid if types match and no errors + isValid: false, // Cannot verify without comparison privateKeyType: privateKeyInfo.keyType, publicKeyType: publicKeyInfo.keyType, - error: 'Unable to verify key pair match, but key types are compatible' + error: 'Unable to verify key pair - manual verification required' }; ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion isValid: false, // Cannot verify without comparison privateKeyType: privateKeyInfo.keyType, publicKeyType: publicKeyInfo.keyType, error: 'Unable to verify key pair - manual verification required' }; ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In src/backend/utils/ssh-key-utils.ts around lines 512 to 516, the function currently returns isValid: true when key types match but actual pair verification failed, which is misleading; change the result to isValid: false (or add a separate verified:false field) when you cannot confirm the key pair match, include the underlying error message or reason in the error property, and ensure any callers treat this case as a validation failure rather than a success. ``` </details>

src/ui/Desktop/Admin/AdminSettings.tsx

						
				@@ -254,0 +314,4 @@

				    } finally {

				      setEncryptionLoading(false);

				    }

				  };

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

🛠️ Refactor suggestion

Do not use fetch directly; route via main-axios.ts API helpers

Project policy: “All API interactions should go through main-axios.ts.” Replace the three fetch calls with centralized helpers for consistent base URL, JWT, error handling, and i18n.

- const response = await fetch(apiUrl, { headers: { Authorization: `Bearer ${jwt}`, ... } });
- const response = await fetch(apiUrl, { method: "POST", headers: {...}, body: ... });
+ const data = await getEncryptionStatus();
+ const res = await initializeEncryption();
+ const res = await migrateEncryption({ dryRun });

Add these helpers to main-axios.ts:

// main-axios.ts
export async function getEncryptionStatus() {
  return axiosInstance.get("/encryption/status").then(r => r.data);
}
export async function initializeEncryption() {
  return axiosInstance.post("/encryption/initialize").then(r => r.data);
}
export async function migrateEncryption(params: { dryRun: boolean }) {
  return axiosInstance.post("/encryption/migrate", params).then(r => r.data);
}

Then import and use them here.

Also applies to: 289-317, 319-358

_🛠️ Refactor suggestion_ **Do not use fetch directly; route via main-axios.ts API helpers** Project policy: “All API interactions should go through main-axios.ts.” Replace the three fetch calls with centralized helpers for consistent base URL, JWT, error handling, and i18n. ```diff - const response = await fetch(apiUrl, { headers: { Authorization: `Bearer ${jwt}`, ... } }); - const response = await fetch(apiUrl, { method: "POST", headers: {...}, body: ... }); + const data = await getEncryptionStatus(); + const res = await initializeEncryption(); + const res = await migrateEncryption({ dryRun }); ``` Add these helpers to main-axios.ts: ```ts // main-axios.ts export async function getEncryptionStatus() { return axiosInstance.get("/encryption/status").then(r => r.data); } export async function initializeEncryption() { return axiosInstance.post("/encryption/initialize").then(r => r.data); } export async function migrateEncryption(params: { dryRun: boolean }) { return axiosInstance.post("/encryption/migrate", params).then(r => r.data); } ``` Then import and use them here. Also applies to: 289-317, 319-358

unified_key_section.tsx

coderabbitai[bot] (Migrated from github.com) commented

2025-09-16 02:49:58 +00:00

⚠️ Potential issue

Insecure file upload pattern - accepts all file types.

The file input accepts * along with specific extensions, which allows users to upload any file type. This could lead to uploading malicious files or non-key files.

Apply this diff to restrict file types:

-                                      accept="*,.pem,.key,.txt,.ppk"
+                                      accept=".pem,.key,.txt,.ppk"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

                                      accept=".pem,.key,.txt,.ppk"

🤖 Prompt for AI Agents

In unified_key_section.tsx around line 24 the file input's accept attribute
includes a wildcard "*" which allows any file type; update the accept attribute
to remove the "*" and list only the allowed extensions/MIME types (e.g.,
.pem,.key,.txt,.ppk and/or specific key-related MIME types) and ensure any
client-side restriction is complemented by server-side validation that enforces
allowed file types and sizes before processing or storing uploads.

_⚠️ Potential issue_ **Insecure file upload pattern - accepts all file types.** The file input accepts `*` along with specific extensions, which allows users to upload any file type. This could lead to uploading malicious files or non-key files. Apply this diff to restrict file types: ```diff - accept="*,.pem,.key,.txt,.ppk" + accept=".pem,.key,.txt,.ppk" ```  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion accept=".pem,.key,.txt,.ppk" ``` </details>  <details> <summary>🤖 Prompt for AI Agents</summary> ``` In unified_key_section.tsx around line 24 the file input's accept attribute includes a wildcard "*" which allows any file type; update the accept attribute to remove the "*" and list only the allowed extensions/MIME types (e.g., .pem,.key,.txt,.ppk and/or specific key-related MIME types) and ensure any client-side restriction is complemented by server-side validation that enforces allowed file types and sizes before processing or storing uploads. ``` </details>

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dennii/Termix#244