Local-first runtime cleanup and recovery hardening

2026-03-07 23:18:07 +03:00
parent 4e977737ee
commit 06397a6bd1
53 changed files with 1856 additions and 2080 deletions
--- a/bible-local/05-config.md
+++ b/bible-local/05-config.md
@@ -23,6 +23,18 @@ Override: `-config <path>` or `QFS_CONFIG_PATH`.
 **Important:** `config.yaml` is a runtime user file — it is **not stored in the repository**.
 `config.example.yaml` is the only config template in the repo.

+### Local encryption key
+
+Saved MariaDB credentials in SQLite are encrypted with:
+
+1. `QUOTEFORGE_ENCRYPTION_KEY` if explicitly provided, otherwise
+2. an application-managed random key file stored at `<state dir>/local_encryption.key`.
+
+Rules:
+- The key file is created automatically with mode `0600`.
+- The key file is not committed and is not included in normal backups.
+- Restoring `qfs.db` on another machine requires re-entering DB credentials unless the key file is migrated separately.
+
 ---

 ## config.yaml Structure
@@ -53,12 +65,12 @@ backup:
 | `QFS_CONFIG_PATH` | Full path to `config.yaml` | OS-specific user state dir |
 | `QFS_BACKUP_DIR` | Root directory for rotating backups | `<db dir>/backups` |
 | `QFS_BACKUP_DISABLE` | Disable automatic backups | — |
+| `QUOTEFORGE_ENCRYPTION_KEY` | Explicit override for local credential encryption key | app-managed key file |
 | `QF_DB_HOST` | MariaDB host | localhost |
 | `QF_DB_PORT` | MariaDB port | 3306 |
 | `QF_DB_NAME` | Database name | RFQ_LOG |
 | `QF_DB_USER` | DB user | — |
 | `QF_DB_PASSWORD` | DB password | — |
-| `QF_JWT_SECRET` | JWT secret | — |
 | `QF_SERVER_PORT` | HTTP server port | 8080 |

 `QFS_BACKUP_DISABLE` accepts: `1`, `true`, `yes`.