# NoteLett Field Encryption Coverage

Date: May 5, 2026

## Encrypted Fields

NoteLett uses `@bytelyst/field-encrypt` through `backend/src/lib/field-encrypt.ts`. Repositories decrypt fields before returning documents and accept plaintext legacy fields during reads.

| Container | Encrypted fields | Query-safe plaintext fields |
| --- | --- | --- |
| `notes` | `body` | `id`, `productId`, `workspaceId`, `userId`, `title`, `status`, `tags`, timestamps |
| `palace_memories` | `content` | wing/room ids, kinds, tags, embeddings, timestamps |
| `note_artifacts` | `title`, `description`, `blobPath` | `id`, `productId`, `workspaceId`, `userId`, `noteId`, `artifactType`, `contentType`, `sizeBytes`, timestamps |
| `note_prompts` | `description`, `systemPrompt`, `userPromptTemplate` | `id`, `productId`, `userId`, `slug`, `name`, prompt routing/config metadata, timestamps |
| `note_agent_actions` | `reason`, `beforeSummary`, `afterSummary`, `reviewNote` | `id`, `productId`, `workspaceId`, `userId`, `noteId`, actor/tool/action/state metadata, idempotency/correlation/workflow ids, review identity/timestamp |

## Migration Notes

This change is backward-compatible for existing plaintext documents: repository reads decrypt only values that match the shared `EncryptedField` envelope and pass plaintext through unchanged. Newly created and updated documents write encrypted values for the fields above.

Recommended production migration before launch is defined in `docs/DATA_MIGRATION_AND_BACKFILL_PLAN.md`. At a high level:

1. Run a one-time backfill using `@bytelyst/field-encrypt` `migrateDocuments` or an equivalent repository-level script for the fields listed above.
2. Process one container at a time, partition-aware: `notes` and artifact/action containers by `workspaceId`, prompt templates by `userId`.
3. Verify by sampling raw Cosmos documents for `__encrypted: true` on sensitive fields and by reading the same records through the NoteLett API to confirm plaintext responses.
4. Keep query filters on the query-safe plaintext fields listed above; do not add server-side filters against encrypted text fields.