/** * Database initialization and schema management for Frame storage * * Creates SQLite database with FTS5 virtual table for full-text search * on reference_point, keywords, and summary_caption. * * Supports encryption via SQLCipher when LEX_DB_KEY environment variable is set. * * @see CONTRACT.md for the FrameStore persistence contract */ import Database from "better-sqlite3-multiple-ciphers"; /** * FrameStore schema version following SemVer. * * Changes require: * - Patch: additive optional fields * - Minor: additive required fields with defaults * - Major: breaking changes * * @see CONTRACT.md for change protocol */ export declare const FRAME_STORE_SCHEMA_VERSION = "1.0.0"; export interface FrameRow { id: string; timestamp: string; branch: string; jira: string | null; module_scope: string; summary_caption: string; reference_point: string; status_snapshot: string; keywords: string | null; atlas_frame_id: string | null; feature_flags: string | null; permissions: string | null; run_id: string | null; plan_hash: string | null; spend: string | null; user_id: string | null; superseded_by: string | null; merged_from: string | null; } /** * Database row type for code_atlas_runs table */ export interface CodeAtlasRunRow { run_id: string; repo_id: string; files_requested: string; files_scanned: string; units_emitted: number; max_files: number | null; max_bytes: number | null; truncated: number; strategy: string | null; created_at: string; schema_version: string; } /** * Result of passphrase strength validation */ export interface PassphraseValidationResult { valid: boolean; errors: string[]; warnings: string[]; characterClasses: { hasLowercase: boolean; hasUppercase: boolean; hasDigit: boolean; hasSymbol: boolean; count: number; }; } /** * Validate passphrase strength for entropy requirements */ export declare function validatePassphraseStrength(passphrase: string): PassphraseValidationResult; /** * Get default database path: .smartergpt/lex/memory.db relative to the caller workspace root. * Can be overridden with LEX_DB_PATH, LEX_MEMORY_DB, or LEX_WORKSPACE_ROOT environment variables. */ export declare function getDefaultDbPath(): string; /** * Derive encryption key from passphrase using PBKDF2 * Uses 64K iterations as recommended by SQLCipher for security * * NOTE: This implementation uses a fixed application salt to ensure deterministic * key derivation. This is necessary because: * 1. SQLCipher doesn't support storing salt metadata separately * 2. Users must derive the same key from their passphrase each session * 3. The passphrase itself must be high-entropy to compensate * * Security considerations: * - Users MUST use strong, unique passphrases (32+ characters recommended) * - The fixed salt prevents per-database key uniqueness * - This is acceptable for single-user/small-team use cases * - Enterprise deployments should consider HSM integration (future work) * * @param passphrase - User-provided passphrase from LEX_DB_KEY * @param salt - Optional salt (defaults to application-wide constant) * @returns Hex-encoded key suitable for SQLCipher */ export declare function deriveEncryptionKey(passphrase: string, salt?: Buffer): string; /** * Get encryption key from environment variable * Required in production (NODE_ENV=production) * Optional in development/test environments * * @returns Derived encryption key or undefined if not set * @throws Error if NODE_ENV=production and LEX_DB_KEY is not set */ export declare function getEncryptionKey(): string | undefined; /** * Initialize database with schema and indexes */ export declare function initializeDatabase(db: Database.Database): void; /** * Create and initialize a database connection * * Automatically applies encryption if LEX_DB_KEY is set. * In production mode (NODE_ENV=production), encryption is mandatory. * * @param dbPath - Optional database file path (defaults to getDefaultDbPath()) * @returns Initialized database connection */ export declare function createDatabase(dbPath?: string): Database.Database;