feat(notelett): encrypt note body with @bytelyst/field-encrypt

- Add field-encrypt dependency + config env vars (FIELD_ENCRYPT_*) - Create backend/src/lib/field-encrypt.ts encryptor singleton - Update notes repository: encrypt body on create/update, decrypt on read - Backward-compatible: isEncryptedField guard handles plaintext during migration - All 86 tests passing
2026-03-21 09:29:44 -07:00 · 2026-03-21 09:29:44 -07:00 · e85cfeb0f1
commit e85cfeb0f1
parent d12c5bfa02
5 changed files with 102 additions and 5 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -19,6 +19,7 @@
        "@bytelyst/errors": "file:../../learning_ai_common_plat/packages/errors",
        "@bytelyst/fastify-auth": "file:../../learning_ai_common_plat/packages/fastify-auth",
        "@bytelyst/fastify-core": "file:../../learning_ai_common_plat/packages/fastify-core",
        "@bytelyst/field-encrypt": "file:../../learning_ai_common_plat/packages/field-encrypt",
        "@bytelyst/logger": "file:../../learning_ai_common_plat/packages/logger",
        "fastify": "^5.2.1",
        "jose": "^6.0.8",
@ -160,6 +161,30 @@
        }
      }
    },
    "../../learning_ai_common_plat/packages/field-encrypt": {
      "name": "@bytelyst/field-encrypt",
      "version": "0.1.0",
      "dependencies": {
        "@bytelyst/errors": "workspace:*"
      },
      "devDependencies": {
        "vitest": "^3.0.0",
        "zod": "^3.24.0"
      },
      "peerDependencies": {
        "@azure/identity": ">=4.0.0",
        "@azure/keyvault-keys": ">=4.8.0",
        "zod": ">=3.22.0"
      },
      "peerDependenciesMeta": {
        "@azure/identity": {
          "optional": true
        },
        "@azure/keyvault-keys": {
          "optional": true
        }
      }
    },
    "../../learning_ai_common_plat/packages/logger": {
      "name": "@bytelyst/logger",
      "version": "0.1.0"
@ -449,6 +474,10 @@
      "resolved": "../../learning_ai_common_plat/packages/fastify-core",
      "link": true
    },
    "node_modules/@bytelyst/field-encrypt": {
      "resolved": "../../learning_ai_common_plat/packages/field-encrypt",
      "link": true
    },
    "node_modules/@bytelyst/logger": {
      "resolved": "../../learning_ai_common_plat/packages/logger",
      "link": true
--- a/backend/package.json
+++ b/backend/package.json
@ -22,6 +22,7 @@
    "@bytelyst/backend-flags": "file:../../learning_ai_common_plat/packages/backend-flags",
    "@bytelyst/backend-telemetry": "file:../../learning_ai_common_plat/packages/backend-telemetry",
    "@bytelyst/errors": "file:../../learning_ai_common_plat/packages/errors",
    "@bytelyst/field-encrypt": "file:../../learning_ai_common_plat/packages/field-encrypt",
    "@bytelyst/fastify-auth": "file:../../learning_ai_common_plat/packages/fastify-auth",
    "@bytelyst/fastify-core": "file:../../learning_ai_common_plat/packages/fastify-core",
    "@bytelyst/logger": "file:../../learning_ai_common_plat/packages/logger",
--- a/backend/src/lib/config.ts
+++ b/backend/src/lib/config.ts
@ -14,6 +14,11 @@ const envSchema = baseBackendConfigSchema.extend({
  MCP_SERVER_URL: z.string().default('http://localhost:4007'),
  TELEMETRY_ENABLED: z.coerce.boolean().default(false),
  FEATURE_FLAGS_ENABLED: z.coerce.boolean().default(false),
  // ── Field Encryption (@bytelyst/field-encrypt) ──
  FIELD_ENCRYPT_KEY_PROVIDER: z.enum(['akv', 'env', 'memory']).default('memory'),
  FIELD_ENCRYPT_KEY: z.string().default(''),
  FIELD_ENCRYPT_MEK_NAME: z.string().default('notelett-mek'),
  AZURE_KEYVAULT_URL: z.string().default(''),
 });
 export const config = envSchema.parse(process.env);
--- a/backend/src/lib/field-encrypt.ts
+++ b/backend/src/lib/field-encrypt.ts
@ -0,0 +1,26 @@
 /**
 * Field encryption singleton for NoteLett backend.
 */
 import { createFieldEncryptor, type FieldEncryptor } from '@bytelyst/field-encrypt';
 import { config } from './config.js';
 let _encryptor: FieldEncryptor | null = null;
 export function getEncryptor(): FieldEncryptor {
  if (_encryptor) return _encryptor;
  _encryptor = createFieldEncryptor({
    keyProvider: config.FIELD_ENCRYPT_KEY_PROVIDER,
    encryptionKey: config.FIELD_ENCRYPT_KEY || undefined,
    keyVaultUrl: config.AZURE_KEYVAULT_URL || undefined,
    mekName: config.FIELD_ENCRYPT_MEK_NAME || undefined,
  });
  return _encryptor;
 }
 /** @internal — for testing only. */
 export function _resetEncryptor(): void {
  _encryptor = null;
 }
--- a/backend/src/modules/notes/repository.ts
+++ b/backend/src/modules/notes/repository.ts
@ -1,11 +1,38 @@
 import { getCollection } from '../../lib/datastore.js';
 import { getEncryptor } from '../../lib/field-encrypt.js';
 import { isEncryptedField, type EncryptedField } from '@bytelyst/field-encrypt';
 import type { NoteDoc, ListNotesQuery } from './types.js';
 import type { FilterMap } from '@bytelyst/datastore';
 const ENCRYPT_CONTEXT = 'notes';
 function collection() {
  return getCollection<NoteDoc>('notes', '/workspaceId');
 }
 /** Encrypt body before storage. */
 async function encryptFields(doc: NoteDoc): Promise<NoteDoc> {
  const enc = getEncryptor();
  const ctx = { userId: doc.userId, context: ENCRYPT_CONTEXT };
  const encrypted = await enc.encrypt(doc.body, ctx);
  return { ...doc, body: encrypted as unknown as string };
 }
 /** Decrypt body after read. Handles plaintext (pre-migration) gracefully. */
 async function decryptFields(doc: NoteDoc): Promise<NoteDoc> {
  const enc = getEncryptor();
  const ctx = { userId: doc.userId, context: ENCRYPT_CONTEXT };
  let body = doc.body;
  if (isEncryptedField(body)) {
    body = await enc.decrypt(body as unknown as EncryptedField, ctx);
  }
  return { ...doc, body };
 }
 async function decryptBatch(docs: NoteDoc[]): Promise<NoteDoc[]> {
  return Promise.all(docs.map(decryptFields));
 }
 export async function listNotes(
  userId: string,
  productId: string,
@ -26,7 +53,7 @@ export async function listNotes(
    limit: query.limit,
  });
-  return { items, total };
+  return { items: await decryptBatch(items), total };
 }
 export async function countNotesByWorkspaces(
@ -43,11 +70,15 @@ export async function countNotesByWorkspaces(
 }
 export async function getNote(id: string, workspaceId: string): Promise<NoteDoc | null> {
-  return collection().findById(id, workspaceId);
+  const doc = await collection().findById(id, workspaceId);
  if (!doc) return null;
  return decryptFields(doc);
 }
 export async function createNote(doc: NoteDoc): Promise<NoteDoc> {
-  return collection().create(doc);
+  const encrypted = await encryptFields(doc);
  const created = await collection().create(encrypted);
  return decryptFields(created);
 }
 export async function updateNote(
@ -60,8 +91,11 @@ export async function updateNote(
    return null;
  }
  // Decrypt existing body first so merge works correctly
  const decryptedExisting = await decryptFields(existing);
  const merged: NoteDoc = {
-    ...existing,
+    ...decryptedExisting,
    ...updates,
    id: existing.id,
    workspaceId: existing.workspaceId,
@ -69,5 +103,7 @@ export async function updateNote(
    productId: existing.productId,
  };
-  return collection().upsert(merged);
+  const encrypted = await encryptFields(merged);
  const result = await collection().upsert(encrypted);
  return decryptFields(result);
 }