* feat(sync): encrypt opds_catalog credentials end-to-end (TS path) Wires encrypted-credential sync for opds_catalog via the CryptoSession shipped in PR 4a (#4084) plus a new publish/pull crypto middleware. TS-only — native still uses ephemeral storage (re-enter passphrase per launch); PR 4d wires the OS keychain. - ReplicaAdapter gains optional `encryptedFields: readonly string[]`. Adapters stay sync; the middleware handles the crypto round trip. - replicaCryptoMiddleware.ts: encryptPackedFields drops the named fields from the push when the session is locked (no plaintext leak); decryptRowFields drops them on pull failure (local plaintext preserved by the store merge). - replicaPublish / replicaPullAndApply invoke the middleware. - OPDS adapter declares encryptedFields = [username, password] and now pack/unpack them as plaintext. - passphraseGate.ts: ensurePassphraseUnlocked coalesces concurrent calls, prompts via the registered prompter with kind=setup|unlock, throws NO_PASSPHRASE on cancel. - PassphrasePromptModal mounted at the Providers root; registers itself as the gate prompter. - CryptoSession.forget() wipes server-side envelopes + salts. - Migration 010 + replica_keys_forget RPC; DELETE /api/sync/replica-keys + client wrapper. - SyncPassphraseSection on the user page: status / Set / Unlock / Lock / Forgot. - CatalogManager pre-save: ensurePassphraseUnlocked when credentials are present; user cancel saves locally without sync. Plan updated: PR 4 split documented as 4a/4b/4c/4d. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(sync): persist sync passphrase via OS keychain (Tauri) Replaces the EphemeralPassphraseStore stub on native with real OS-keychain storage so users don't re-enter their sync passphrase every launch. Web stays on the in-memory ephemeral store by design. Native bridge plugin gains 4 commands wired across all platforms: - Rust desktop (`keyring` crate): macOS Keychain on apple-native, Windows Credential Manager on windows-native, Linux libsecret/ Secret Service on sync-secret-service. Per-target features so each platform compiles only the backend it needs. - iOS Swift: Security framework Keychain (kSecClassGenericPassword, SecItemAdd / Copy / Delete). - Android Kotlin: androidx.security EncryptedSharedPreferences (AndroidKeystore-derived AES-GCM master key, AES256_SIV / AES256_GCM key/value encryption). TS layer: - TauriPassphraseStore wraps the bridge calls. set is fail-loud (surfaces keychain rejection); get is fail-soft (returns null on any error so the gate prompts). - createPassphraseStore returns ephemeral synchronously; upgradeToKeychainIfAvailable swaps the singleton to TauriPassphraseStore on Tauri after probing the bridge. CryptoSession resolves the store via createPassphraseStore() each touch so the swap is transparent. - CryptoSession.tryRestoreFromStore: silent unlock at boot. Stale- entry recovery clears the store when the account has no salt server-side. unlock/setup persist; forget also clears the store. - Providers boot effect: upgrade keychain → silent restore. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sync): make encrypted-credential pull actually decrypt + UX polish PR 4c shipped the encrypt path but the pull side silently dropped ciphers when locked, the modal was busy with double-rings, and web re-prompted on every page refresh. This rolls up the post-test fixes + UX polish: Pull-side decrypt: - decryptRowFields takes an `onLocked` callback the orchestrator wires to the passphrase gate; encountering a cipher field with a locked session now triggers the lazy-prompt path instead of dropping the field. - replicaPullAndApply re-applies the unpacked row for metadata-only kinds even when a local copy exists, so the now-decrypted creds reach the store (the binary-kind skip-if-local optimization doesn't apply). - Cipher fingerprint comparison: capture the row's `cipher.c` for each encrypted field, compare against the local record's lastSeenCipher. Same → skip prompt + decrypt entirely. Different (rotation / value change on another device) → prompt to re-decrypt. Fingerprint persists via OPDSCatalog.lastSeenCipher. Web persistence: - SessionStoragePassphraseStore: passphrase survives page refresh within the same tab, dies on tab close. Replaces EphemeralPassphraseStore as the default on web. Avoids localStorage / IndexedDB to keep the tab-scoped trust boundary. UI: - Renamed PassphrasePromptModal → PassphrasePrompt; modernized: filled input style with single subtle focus border, btn-primary + btn-ghost replaced with leaner custom buttons. eink-bordered + btn-primary classes give the dialog correct e-paper rendering. - globals.css: suppress redundant outline/box-shadow on focused text inputs / textareas (the element's own border is the focus indicator). - AGENTS.md: documents the e-ink convention (`eink-bordered`, `btn-primary` for inverted CTAs, etc.) so future widgets ship with e-paper support. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5.8 KiB
Project Overview
Readest is a cross-platform ebook reader built as a Next.js 16 + Tauri v2 hybrid app. It's part of a pnpm monorepo at /apps/readest-app/. The app runs on web (CloudFlare Workers), desktop (macOS/Windows/Linux via Tauri), and mobile (iOS/Android via Tauri).
Common Commands
# Development
pnpm dev-web # Web-only dev server (no Rust compilation needed)
pnpm tauri dev # Desktop dev with Tauri (compiles Rust backend)
# Building
pnpm build # Build Next.js for Tauri
pnpm build-web # Build Next.js for web deployment
# Testing (see [docs/testing.md](docs/testing.md) for full details)
pnpm test # Unit tests (vitest + jsdom)
pnpm test -- src/__tests__/utils/misc.test.ts # Run a single test file
pnpm test -- --watch # Watch mode
pnpm test:browser # Browser tests (Chromium via Playwright)
pnpm tauri:dev:test # Start Tauri app with webdriver
pnpm test:tauri # Run Tauri integration tests
# Linting & Formatting
pnpm lint # Biome (linter) + tsgo (type check)
pnpm format # Prettier (runs from monorepo root)
pnpm format:check # Check formatting without writing
# Rust
pnpm fmt:check # Check formatting Rust code (src-tauri)
pnpm clippy:check # Lint Rust code (src-tauri)
Source Layout
| Directory | Purpose |
|---|---|
src/app/ |
Next.js App Router pages and API routes |
src/components/ |
React components (reader, settings, library, assistant, etc.) |
src/services/ |
Business logic: TTS, translators, OPDS, sync, AI, metadata |
src/store/ |
Zustand state stores |
src/hooks/ |
Custom React hooks |
src/libs/ |
Document loaders, payment, storage, sync |
src/utils/ |
Pure utility functions |
src/types/ |
TypeScript type definitions |
src/context/ |
React Context providers (Auth, Env, Sync, etc.) |
src/workers/ |
Web Workers for background tasks |
src-tauri/ |
Rust backend: Tauri plugins, platform-specific code |
Path Aliases (tsconfig)
@/*→./src/*@/components/ui/*→./src/components/primitives/*
Rust Backend (src-tauri/)
Platform-specific code lives in src-tauri/src/{macos,windows,android,ios}/. Custom Tauri plugins are in src-tauri/plugins/.
Git Worktrees
Always use pnpm worktree:new <branch-name|pr-number> to create worktrees. Never use git worktree add directly — the script handles submodule initialization (simplecc WASM, foliate-js), dependency installation, .env copying, vendor assets, and Tauri gen symlinks that are required for lint and tests to pass.
pnpm worktree:new feat/my-feature # New branch from origin/main
pnpm worktree:new 3837 # Checkout PR #3837 with push access to fork
Project Rules
Rules are in .claude/rules/: test-first, typescript, verification.
i18n
See docs/i18n.md for the key-as-content translation approach, stubTranslation usage in non-React modules, and extraction workflow.
Safe Area Insets
See docs/safe-area-insets.md for rules on handling top/bottom insets for UI elements near screen edges.
E-ink mode
Every new UI widget must look right under [data-eink='true']. E-ink screens have no shadows, no gradients, slow refresh, and need crisp 1px borders for delineation. The conventions live in src/styles/globals.css — reuse the existing classes instead of inventing new ones:
- Surfaces / inputs — add
eink-bordered. In eink mode it swaps tobg-base-100+ 1pxbase-contentborder. Use it on inputs, custom button backgrounds, ghost-styled cancel buttons, and any container that needs a visible boundary. - Primary action buttons — add
btn-primary(alongside whatever Tailwind classes you use for color themes). The[data-eink] .btn-primaryrule inverts tobase-contentbg +base-100text so the primary CTA stays distinct from secondary actions. .modal-boxpicks up no-shadow + 1px border automatically; dialogs that use it don't need additions.- Don't rely on color/shadow alone for hierarchy. Two same-tone buttons differ only by hover on color themes, and hover doesn't exist on e-ink touchscreens. Pair a borderless ghost (cancel) with a solid CTA (submit) so eink can invert one without flattening the difference.
When in doubt, toggle E-ink in Settings → Misc and check. The rules in globals.css cover most cases automatically, but composite components (custom buttons, layered cards) often need eink-bordered on the right element to stay legible.
Available gstack skills:
/plan-ceo-review— CEO/founder-mode plan review/plan-eng-review— Eng manager-mode plan review/plan-design-review— Designer's eye review of a live site/design-consultation— Design system consultation/review— Pre-landing PR review/ship— Ship workflow (merge, test, review, bump, PR)/browse— Fast headless browser for QA and site interaction/qa— QA test and fix bugs/qa-only— QA report only (no fixes)/qa-design-review— Designer's eye QA with fixes/setup-browser-cookies— Import cookies for authenticated testing/retro— Weekly engineering retrospective/document-release— Post-ship documentation update
If gstack skills aren't working, run cd .claude/skills/gstack && ./setup to build the binary and register skills.