2.1 KiB
2.1 KiB
NoteLett Field Encryption Coverage
Date: May 5, 2026
Encrypted Fields
NoteLett uses @bytelyst/field-encrypt through backend/src/lib/field-encrypt.ts. Repositories decrypt fields before returning documents and accept plaintext legacy fields during reads.
| Container | Encrypted fields | Query-safe plaintext fields |
|---|---|---|
notes |
body |
id, productId, workspaceId, userId, title, status, tags, timestamps |
palace_memories |
content |
wing/room ids, kinds, tags, embeddings, timestamps |
note_artifacts |
title, description, blobPath |
id, productId, workspaceId, userId, noteId, artifactType, contentType, sizeBytes, timestamps |
note_prompts |
description, systemPrompt, userPromptTemplate |
id, productId, userId, slug, name, prompt routing/config metadata, timestamps |
note_agent_actions |
reason, beforeSummary, afterSummary, reviewNote |
id, productId, workspaceId, userId, noteId, actor/tool/action/state metadata, idempotency/correlation/workflow ids, review identity/timestamp |
Migration Notes
This change is backward-compatible for existing plaintext documents: repository reads decrypt only values that match the shared EncryptedField envelope and pass plaintext through unchanged. Newly created and updated documents write encrypted values for the fields above.
Recommended production migration before launch is defined in docs/DATA_MIGRATION_AND_BACKFILL_PLAN.md. At a high level:
- Run a one-time backfill using
@bytelyst/field-encryptmigrateDocumentsor an equivalent repository-level script for the fields listed above. - Process one container at a time, partition-aware:
notesand artifact/action containers byworkspaceId, prompt templates byuserId. - Verify by sampling raw Cosmos documents for
__encrypted: trueon sensitive fields and by reading the same records through the NoteLett API to confirm plaintext responses. - Keep query filters on the query-safe plaintext fields listed above; do not add server-side filters against encrypted text fields.