093495a653
Complete backport of all features from apollo_nxt-trcaa repository: - Three-tier shell execution safety system (Tier 1: auto, Tier 2: approve, Tier 3: deny) - Ollama function calling with tool use support - AI provider tool calling auto-detection - kubectl binary bundling and management - kubeconfig upload and context management - Shell approval modal with real-time UI - MCP protocol HTTP transport with custom headers - Enhanced security audit logging - Comprehensive test coverage (275+ tests) - Updated CI/CD workflows for Gitea Actions - Complete documentation (ADRs, wiki, release notes) Sanitization applied to all files: - Removed all MSI, Motorola, VNXT, Vesta references - Replaced internal infrastructure references with TFTSR equivalents - Updated all URLs and API endpoints - Sanitized commit history references in documentation Technical changes: - New modules: shell/classifier, shell/executor, shell/kubectl, shell/kubeconfig - Enhanced AI providers: ollama.rs, openai.rs with function calling - New Tauri commands: shell execution, kubeconfig management, tool calling detection - Database migrations: shell_execution_audit table - Frontend: ShellApprovalModal, ShellExecution, KubeconfigManager pages - CI/CD: kubectl bundling, multi-platform builds, Gitea Actions integration Version: 1.0.8 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2.9 KiB
ADR-002: SQLCipher for Encrypted Storage
Status: Accepted Date: 2025-Q3 Deciders: sarman
Context
All incident data (titles, descriptions, log contents, AI conversations, resolution steps, RCA documents) must be stored locally and at rest must be encrypted. The application cannot rely on OS-level full-disk encryption being enabled.
Requirements:
- AES-256 encryption of the full database file
- Key derivation suitable for per-installation keys (not user passwords)
- No plaintext data accessible if the
.dbfile is copied off-machine - Rust-compatible SQLite bindings
Decision
Use SQLCipher via rusqlite with the bundled-sqlcipher-vendored-openssl feature flag.
Rationale
Alternatives considered:
| Option | Pros | Cons |
|---|---|---|
| SQLCipher (chosen) | Transparent full-DB encryption, AES-256, PBKDF2 key derivation, vendored so no system dep | Larger binary; not standard SQLite |
| Plain SQLite | Simple, well-known | No encryption — ruled out |
| SQLite + file-level encryption | Flexible | No atomicity; complex implementation |
| LevelDB / RocksDB | Fast, encrypted options exist | No SQL, harder migration |
sled (Rust-native) |
Modern, async-friendly | No SQL, immature for complex schemas |
SQLCipher specifics chosen:
PRAGMA cipher_page_size = 16384; -- Matches 16KB kernel page (Apple Silicon)
PRAGMA kdf_iter = 256000; -- 256k PBKDF2 iterations
PRAGMA cipher_hmac_algorithm = HMAC_SHA512;
PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA512;
The cipher_page_size = 16384 is specifically tuned for Apple Silicon (M-series) which uses 16KB kernel pages — using 4096 (SQLCipher default) causes page boundary issues.
Key Management
Per ADR-005, encryption keys are auto-generated at runtime:
- Release builds: Random 256-bit key generated at first launch, stored in
.dbkey(mode 0600) - Debug builds: Hardcoded dev key (
dev-key-change-in-prod) - Override:
TRCAA_DB_KEY(or legacyTRCAA_DB_KEY) environment variable
Consequences
Positive:
- Full database encryption transparent to all SQL queries
- Vendored OpenSSL means no system library dependency (important for portable AppImage/DMG)
- SHA-512 HMAC provides authenticated encryption (tampering detected)
Negative:
bundled-sqlcipher-vendored-opensslsignificantly increases compile time and binary size- Cannot use standard SQLite tooling to inspect database files (must use sqlcipher CLI)
cipher_page_sizemismatch between debug/release would corrupt databases — mitigated by auto-migration (ADR-005)
Migration Handling:
If a plain SQLite database is detected in a release build (e.g., developer switched from debug), migrate_plain_to_encrypted() automatically migrates using ATTACH DATABASE + sqlcipher_export. A .db.plain-backup file is created before migration.