feat: encrypt profile entries with passphrase-derived key, migrate to typescript

[MoustaphaCamara]

small tweaks

• moved css to dedicated folder
• separated in files to optimize usage
• style.css -> src/css/main.css
• subfiles in src/css/buttons.css, css/inputs.css etc.
• helpers in utils/helpers.ts
• migrate to typescript

fix #2
fix #8 86745a6
fix #11 5bfa1b2
fix #12 5a10e8d
fix #14

encryption

Encrypt local profile entries with passphrase-derived keys

• Replace stored profile passphrase hashes with passphrase-derived local encryption
• generate an Ed25519 keypair when creating a profile
• store the public key, key salt, and encrypted private key in profile index
• derive anunlock key from the passphrase and use it to decrypt the private key
• Encrypt entry title/body before saving to SQLite
• Decrypt entry title/body after reading from SQLite
• Clear in-memory profile keys on logout!

note: currently, the SQLite database file is still readable as a SQLite file, but entry content is encrypted. Table names, row counts, and timestamps are not encrypted in this PR. I'm not sure if we wanted to encrypt only the content or also the db itself, but files cant be read even via db. e.g.,

PROFILE=enter a profile uuid from index.json
DB="$HOME/.config/elabftw-desktop/profiles/$PROFILE/data.sqlite3"
sqlite3 "$DB"
.tables
# output: entries
.schema entries
# output: the schema of the entries table

Now try to read some

select id, title, body FROM entries;
# expected output: 1 | blablablahashed-title-long-random-looking-base64|blablablahashed-body-same-rdm-looking
.quit

Steps to reproduce & test

• Create a new profile with a passphrase
• Verify wrong passphrase does not unlock the profile
• Create entries and confirm title/body are not readable in data.sqlite3
• Verify entries decrypt correctly after unlocking with the right passphrase :)

Summary by CodeRabbit

• New Features

  • Profiles now use per-profile cryptographic keys with in-memory unlock/lock and encrypted profile secrets.
  • Entry titles and bodies are encrypted at rest.
  • New profile selector UI with create, unlock, and delete flows.

• Bug Fixes

  • Improved form submission, entry save/load flow, and error handling.

• Style

  • Added global styles for alerts, buttons, inputs, profiles, and core theme tokens.

• Chores

  • Tooling and dependency updates.

[NicolasCARPi]

on create new entry, reset state (title), instead of asking other components to remember to do it

remove all ed25519 code: we don't sign anything.

crypto is:

passphrase + salt (stored in clear in json profile) = master key

use the master key to decrypt data, because it's authenticated, you'll get an error if it's not the correct key.

[NicolasCARPi]

try and refactor this, remove many things

[NicolasCARPi]

try and use Attachments