Skip to content
UI layer: Dashboard, filters, modals, settings, passphrase gate.
Vault layer: in-memory unlock state, DEK management, encrypt/decrypt operations.
Storage layer: Supabase (Postgres), Neon Postgres, or SQLite (sql.js / IndexedDB) tables for credentials, categories, and vault config — selected at runtime via the database provider setting.
User enters secret in credential form.
Vault must be unlocked.
Secret payload is JSON-serialized and encrypted via AES-GCM using in-memory DEK.
Encrypted blob is written to credentials.secret_blob.
Decryption happens in browser after explicit reveal action.
src/main.tsx initializes CSP/security hooks and renders app.src/App.tsx wires providers (query, theme, router).src/components/SelfHostedDashboard.tsx manages configured/unconfigured states and dashboard routes.
SelfHostedDashboard: app-level view and filtering state.PassphraseGate: vault lock/unlock UX plus create-new-user entrypoint.UserRegistration: validates and provisions new user vaults without admin involvement.DashboardSettings + UserSwitcher: registered-user visibility and secure context switching.VaultManager: orchestrates storage config + secure vault runtime.SecureVault: cryptographic operations and auto-lock timer. 