add global formatting

.github/workflows/format-check.yml

@@ -0,0 +1,26 @@
+name: Format Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Check formatting
+        run: yarn format:check 

.prettierrc

@@ -1 +1,9 @@
-{}
+{
+  "semi": true,
+  "trailingComma": "all",
+  "singleQuote": true,
+  "printWidth": 100,
+  "tabWidth": 2,
+  "useTabs": false,
+  "endOfLine": "lf"
+}

.vscode/settings.json

@@ -1,8 +1,3 @@
-{
-    "cSpell.words": [
-        "crypt.fyi",
-        "sonner",
-        "tabler",
-        "tapjs"
-    ]
-}
+{
+  "cSpell.words": ["crypt.fyi", "sonner", "tabler", "tapjs"]
+}

README.md

@@ -68,17 +68,20 @@ A zero-knowledge, end-to-end encrypted secret sharing platform that enables secu
 ## Known Issues & Development Considerations
 
 ### Content Security Policy
+
 - The toast notification library (sonner) requires specific style-src hashes in the CSP configuration
 - These hashes are defined in `nginx/nginx.conf`
 - Updates to sonner may require updating these hashes
 - Reference: [sonner#449](https://github.com/emilkowalski/sonner/issues/449)
 
 ### Development Environment
+
 - Ensure Redis is running locally when developing the server
 - The web client expects the API to be available at `http://localhost:4321` by default
 - CSP headers in development may differ from production configuration
 
 ### Security Considerations
+
 - Always test encryption/decryption flows thoroughly when making changes
 - Ensure no sensitive data is logged or exposed in error messages
 - Maintain strict CSP headers to prevent XSS vulnerabilities

SECURITY.md

@@ -21,16 +21,18 @@ Please include the following information in your report:
 ## Best Practices
 
 ### Data Protection
+
 - All sensitive data is encrypted on the client, in transit, and at rest
 - No server-side logging of sensitive data
 - Zero-Trust architecture
 
 ### Development Practices
+
 - Dependencies are regularly updated and monitored for vulnerabilities
 - Code changes undergo security review before deployment
 
 ## Acknowledgments
 
 We would like to thank the following individuals who have contributed to the security of crypt.fyi through responsible disclosure:
 
-*This section will be updated as contributions are received.*
+_This section will be updated as contributions are received._

SPECIFICATION.md

@@ -3,20 +3,25 @@
 ## 1. Introduction
 
 ### 1.1 Purpose
+
 crypt.fyi is a zero-knowledge, end-to-end encrypted secret sharing platform that enables users to securely share sensitive information using AES-256 encryption. The system is designed with a "zero-knowledge" architecture, meaning the server never has access to unencrypted data or encryption keys.
 
 ### 1.2 Scope
+
 This document outlines the system architecture, security measures, and interaction patterns between client and server components of the crypt.fyi system.
 
 ## 2. System Architecture
 
 ### 2.1 High-Level Overview
+
 crypt.fyi follows a client-server architecture with the following main components:
+
 - Web Client (Browser-based interface)
 - API Server
 - Data Store (Ephemeral storage)
 
 ### 2.2 Component Interaction Flow
+
 ```
 [Web Client] <--> [API Server] <--> [Data Store]
      ^
@@ -29,35 +34,37 @@ crypt.fyi follows a client-server architecture with the following main component
 ### 3.1 Secret Management Endpoints
 
 #### POST /vault
+
 - Purpose: Store a new encrypted secret
 - Request Body:
   ```typescript
   {
-    c: string;    // encrypted content
-    h: string;    // sha256 hash of encryption key + optional password
-    b: boolean;   // burn after reading flag
-    ttl: number;  // time-to-live in milliseconds
+    c: string; // encrypted content
+    h: string; // sha256 hash of encryption key + optional password
+    b: boolean; // burn after reading flag
+    ttl: number; // time-to-live in milliseconds
   }
   ```
 - Response (201):
   ```typescript
   {
-    id: string;   // vault identifier
-    dt: string;   // delete token
+    id: string; // vault identifier
+    dt: string; // delete token
   }
   ```
 
 #### GET /vault/:vaultId
+
 - Purpose: Retrieve an encrypted secret
 - Query Parameters:
   - h: string (sha256 hash of encryption key + optional password)
 - Response (200):
   ```typescript
   {
-    c: string;    // encrypted content
-    b: boolean;   // burn after reading flag
-    ttl: number;  // time-to-live in milliseconds
-    cd: number;  // created date time (unix timestamp)
+    c: string; // encrypted content
+    b: boolean; // burn after reading flag
+    ttl: number; // time-to-live in milliseconds
+    cd: number; // created date time (unix timestamp)
   }
   ```
 - Error Responses:
@@ -67,18 +74,21 @@ crypt.fyi follows a client-server architecture with the following main component
   - 500: Server error
 
 #### DELETE /vault/:vaultId
+
 - Purpose: Delete a secret
 - Request Body:
   ```typescript
   {
-    dt: string;   // delete token
+    dt: string; // delete token
   }
   ```
 
 ## 4. Security Measures
 
 ### 4.1 Encryption
+
 1. **Client-Side Encryption**
+
    - AES-256-GCM encryption with PBKDF2 key derivation and random salt and initialization vector (IV)
    - Unique encryption key per secret
    - All encryption/decryption occurs in the browser
@@ -91,7 +101,9 @@ crypt.fyi follows a client-server architecture with the following main component
    - SHA-256 key verification
 
 ### 4.2 Zero-Knowledge Architecture
+
 1. **Server Security**
+
    - Server only receives and stores encrypted data
    - Server cannot decrypt content
    - No user accounts or authentication
@@ -107,26 +119,30 @@ crypt.fyi follows a client-server architecture with the following main component
    - Secure deletion of data
 
 ### 4.3 Transport Security
-  - CORS protection
-  - Rate limiting
-  - Request size limits
-  - TLS transport encryption
-  - Strict Content Security Policy (CSP)
-    - No eval() or unsafe-inline
-    - Restricted source origins
-    - Frame ancestors disabled
-    - Strict MIME type checking
-    - XSS protection headers
+
+- CORS protection
+- Rate limiting
+- Request size limits
+- TLS transport encryption
+- Strict Content Security Policy (CSP)
+  - No eval() or unsafe-inline
+  - Restricted source origins
+  - Frame ancestors disabled
+  - Strict MIME type checking
+  - XSS protection headers
 
 ## 5. Data Storage Requirements
 
 ### 5.1 Storage Properties
+
 1. **Ephemeral Nature**
+
    - All data must be temporary
    - Configurable Time-To-Live (TTL) per entry
    - Automatic expiration and cleanup
 
 2. **Concurrency Requirements**
+
    - Must support concurrent access
    - Must maintain data consistency
    - Must provide atomic operations for critical functions
@@ -139,7 +155,9 @@ crypt.fyi follows a client-server architecture with the following main component
    - Scalable storage solution
 
 ### 5.2 Data Integrity
+
 1. **Consistency**
+
    - Atomic operations where required
    - Proper handling of race conditions
    - Guaranteed execution order for critical operations
@@ -152,7 +170,9 @@ crypt.fyi follows a client-server architecture with the following main component
 ## 6. Client Implementation
 
 ### 6.1 Encryption Process
+
 1. **Creating a Secret**
+
    - Generate random encryption key
    - Encrypt content with AES-256-GCM
    - Optional: Encrypt again with user password
@@ -169,17 +189,20 @@ crypt.fyi follows a client-server architecture with the following main component
 ## 7. System Constraints
 
 ### 7.1 API Rate Limits
+
 - Configurable per-IP rate limiting
 - Default: Specified in server configuration
 - Must be enforced at the API level
 
 ### 7.2 Content Limits
+
 - Maximum content size: 50KB
 - Enforced at the API level
 
 ## 8. Error Handling
 
 ### 8.1 Error Responses
+
 - 400: Invalid key/password hash
 - 404: Secret not found or already burned
 - 429: Rate limit exceeded
@@ -190,11 +213,13 @@ Each error response will have an appropriate error message in the response body.
 ## 9. Rate Limiting and Quotas
 
 ### 9.1 API Rate Limits
+
 - Per-IP rate limiting enforced
 - Configurable rate limit window and request quota
 - Rate limits apply to all API endpoints
 
 ### 9.2 Content Limits
+
 - Maximum content size: 50KB
 - TTL Constraints:
   - Minimum: 1 second
@@ -204,11 +229,13 @@ Each error response will have an appropriate error message in the response body.
 ## 10. Security Measures
 
 ### 10.1 Transport Security
+
 - Mandatory HTTPS for all API endpoints
 - Strict Transport Security (HSTS) enforcement
 - Modern TLS protocols only
 
 ### 10.2 Security Headers
+
 - Content Security Policy (CSP)
   - No eval() or unsafe-inline
   - Restricted source origins
@@ -223,6 +250,7 @@ Each error response will have an appropriate error message in the response body.
 - Referrer Policy
 
 ### 10.3 Request/Response Security
+
 - Request size limits
 - Response sanitization
 - No sensitive data in logs
@@ -231,6 +259,7 @@ Each error response will have an appropriate error message in the response body.
 ## 11. Future Considerations
 
 ### 11.1 Potential Enhancements
+
 - File encryption support
 - Notification of read receipts
 - Deferred time to available w/ read-side email subscription for availability notifications

package.json

@@ -4,7 +4,9 @@
     "packages/*"
   ],
   "scripts": {
-    "dev": "concurrently \"docker compose up redis\" \"yarn workspace @crypt.fyi/server dev\" \"yarn workspace @crypt.fyi/web dev\""
+    "dev": "concurrently \"docker compose up redis\" \"yarn workspace @crypt.fyi/server dev\" \"yarn workspace @crypt.fyi/web dev\"",
+    "format": "prettier --write .",
+    "format:check": "prettier --check ."
   },
   "devDependencies": {
     "concurrently": "^9.1.0",

packages/server/babel.config.js

@@ -1,6 +1,3 @@
 module.exports = {
-  presets: [
-    ["@babel/preset-env", { targets: { node: "current" } }],
-    "@babel/preset-typescript",
-  ],
+  presets: [['@babel/preset-env', { targets: { node: 'current' } }], '@babel/preset-typescript'],
 };

packages/server/docker-compose.yaml

@@ -2,7 +2,7 @@ services:
   redis:
     image: redis:latest
     ports:
-      - "6379:6379"
+      - '6379:6379'
     volumes:
       - redis_data:/data
   jaeger:

packages/server/eslint.config.mjs

@@ -10,21 +10,21 @@ export default [
       parser: tsParser,
       parserOptions: {
         ecmaVersion: 2020,
-        sourceType: 'module'
-      }
+        sourceType: 'module',
+      },
     },
     plugins: {
       '@typescript-eslint': tsPlugin,
-      'prettier': prettierPlugin
+      prettier: prettierPlugin,
     },
     rules: {
       ...tsPlugin.configs.recommended.rules,
       ...prettierConfig.rules,
       '@typescript-eslint/explicit-function-return-type': 'off',
       '@typescript-eslint/no-explicit-any': 'warn',
-      '@typescript-eslint/no-unused-vars': ['error', { 'argsIgnorePattern': '^_' }],
-      'no-console': ['warn', { 'allow': ['warn', 'error'] }],
-      'prettier/prettier': 'error'
-    }
-  }
+      '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+      'no-console': ['warn', { allow: ['warn', 'error'] }],
+      'prettier/prettier': 'error',
+    },
+  },
 ];