A zero-knowledge personal life organizer. It stores notes, tasks, projects, friends, events, daily goals, and sleep tracking, all encrypted in the browser before anything reaches the server.
The server stores ciphertext and an OPAQUE registration record. It cannot read the vault, even with full disk access.
Enrollment is invite-only. To request access, email nmichael111@atomicmail.io with your desired username. You'll receive a single-use enrollment link (24 hour TTL) that lets you set your password directly in the browser.
- Notes, tasks (with drag-set progress), projects, friends, events, daily goals, sleep tracking. Each entity has its own modal and surfaces on a unified bento-grid dashboard.
- Per-friend hangout log with photo support and birthday tracking. Friends, projects, and tasks can be cross-linked.
- Vault-wide JSON export and import for offline backup. The export is plaintext (the user's responsibility to store safely); the import re-encrypts under the current key.
- Optional weather tile that fetches forecasts directly from Open-Meteo using coarse coordinates (rounded to about 11 km) stored encrypted in the vault. The server is never involved.
- Strict CSP with hash-pinned inline scripts. No
unsafe-inline, nounsafe-eval. All inline scripts are SHA-256 hashed at build time. - Atomic deploys. The included
bin/deploy.tstypechecks the client and server, rsyncs, builds in place, swapsclient/buildbehind a one-second service stop, and verifies with both a loopback health check and a Playwright smoke test.
Browser Server Storage
------- ------ -------
SvelteKit 5 SPA Bun HTTP CouchDB
OPAQUE client <- RFC 9807 -> OPAQUE server
AES-256-GCM
CBOR + gzip ciphertext -> couch proxy -> single
(allowlisted) doc per
user
Authentication uses OPAQUE (RFC 9807)
via @cloudflare/opaque-ts. The server never receives the password,
not even at registration. The stored record is not a password hash.
Cracking it requires the password.
The vault itself is one encrypted blob per user. The pipeline is
object -> CBOR -> gzip -> AES-256-GCM -> base64. The AES key is
derived from OPAQUE's export_key and never transmitted.
Enrollment is invite only. The operator runs a CLI to mint a
single-use token with a 24 hour TTL. The on-disk filename is the
SHA-256 of the token, so a directory listing cannot be replayed. The
/enroll endpoint is byte-identical to any other unknown path for
clients that do not already have a token.
Transport is HTTPS via Caddy. The CSP pins inline scripts by SHA-256
hash. There is no unsafe-inline and no unsafe-eval.
See SECURITY.md for the threat model.
- Bun on the server side and for build tooling. Node is not supported.
- SvelteKit 5 with runes, static adapter.
- CouchDB 3.
@cloudflare/opaque-tsv0.7, P-256 suite.- Caddy for TLS at the edge.
bun install
bun run dev # couch + server + client concurrentlyTypecheck:
cd server && bunx tsc --noEmit
cd client && bunx svelte-kit sync && bunx svelte-checkTests:
bun test client/testsProduction build:
bun run buildThe build emits a static SvelteKit bundle in client/build/ and a
single-file enroll.html for OPAQUE registration. The inline script
in enroll.html is hash-pinned in the server CSP.
Deploys are atomic. bin/deploy.ts runs typechecks locally, rsyncs
the source to the target host, builds in place, swaps client/build
behind a service stop, restarts, and runs both a loopback health
check and a Playwright smoke test against the public URL. Any failure
aborts before the swap.
bench/results.md has measurements of the full save and load
pipelines at four fixture sizes. Reproduce with bun run bench.
client/ SvelteKit 5 SPA
src/lib/
components/ UI (tiles, modals, dashboard)
stores/ auth and nav state
vault/ types, serialize, crypto, sync, photo
crypto/ OPAQUE client wrappers
server/ Bun API and CouchDB proxy
src/
routes/ auth, enroll
services/ opaque-config, enrollment, user-service,
couch-admin, jwt, rate-limit, http
bin/ operator CLIs (init-opaque, start-enrollment,
delete-user, build-enroll)
enroll-src/ standalone enrollment page source
bin/ deploy and smoke-test tooling
bench/ vault-pipeline benchmark