Skip to content

feat(security): migrate API keys to IndexedDB, fix silent catches, add snapshot validation#331

Merged
d-oit merged 1 commit into
mainfrom
feat/security-hardening-and-tests
Jun 19, 2026
Merged

feat(security): migrate API keys to IndexedDB, fix silent catches, add snapshot validation#331
d-oit merged 1 commit into
mainfrom
feat/security-hardening-and-tests

Conversation

@d-oit

@d-oit d-oit commented Jun 19, 2026

Copy link
Copy Markdown
Owner

Summary

  • Migrate API key storage from localStorage to encrypted IndexedDB (AES-GCM)
  • Fix 11 silent catch blocks with proper logging across 7 files
  • Add Zod validation for graph snapshot data
  • Add ftp: to blocked URL schemes for SSRF prevention
  • Add 34 new tests (graph-schemas, editor extensions, keyboard nav)

Changes

  • New file: src/lib/key-store.ts — IndexedDB-backed encrypted key store with localStorage migration
  • Updated: src/lib/llm/config.ts — Uses keyStore instead of localStorage, auto-migrates existing keys
  • Updated: src/lib/llm/encryption.ts — Added logger for corrupted key recovery
  • Updated: src/lib/resolver.ts — Added ftp: to blocked URL schemes
  • Updated: src/features/graph/graph-schemas.ts — Added GraphSnapshotDataSchema and validateSnapshotData()
  • Updated: src/features/graph/GraphSnapshotManager.ts — Validates snapshot data before loading
  • Updated: 7 files with silent catch blocks — Added proper logging (logger.warn/debug)
  • New tests: graph-schemas.test.ts (15), extensions.test.ts (12), GraphKeyboardNav.test.ts (7)
  • Updated test: config.test.ts — Mocks IndexedDB key store instead of localStorage

Verification

  • pnpm run lint — 0 errors
  • pnpm run typecheck — clean
  • pnpm run test — 445/445 passing
  • pnpm run build — builds successfully

@do-ops885
feat(security): migrate API keys to IndexedDB, fix silent catches, ad…
79d7cc1 
…d snapshot validation

- Create key-store.ts with AES-GCM encrypted IndexedDB storage for API keys
- Migrate LLM config from localStorage to IndexedDB with auto-migration
- Add ftp: to blocked URL schemes for SSRF prevention
- Add Zod validation for graph snapshot data (validateSnapshotData)
- Fix 11 silent catch blocks with proper logging across 7 files
- Add 34 new tests: graph-schemas (15), editor extensions (12), keyboard nav (7)
- Update config tests to mock IndexedDB key store
@github-actions github-actions Bot added config tests Related to automated/manual tests labels Jun 19, 2026
@codacy-production

codacy-production Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Not up to standards ⛔

🔴 Issues 13 high

Alerts:
⚠ 13 issues (≤ 0 issues of at least minor severity)

Results:
13 new issues

Category Results
Security 13 high

View in Codacy

🟢 Metrics 82 complexity · 22 duplication

Metric Results
Complexity 82
Duplication 22

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@d-oit d-oit enabled auto-merge (squash) June 19, 2026 14:51
@d-oit d-oit merged commit fd3c0e6 into main Jun 19, 2026
20 of 21 checks passed
@d-oit d-oit deleted the feat/security-hardening-and-tests branch June 19, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

config tests Related to automated/manual tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@d-oit @do-ops885