draft: database layer refactor

[ZacharyZcR]

Status

Draft / important branch. This PR is the long-running database layer refactor branch. It is continuing repository-boundary migration while keeping every migrated domain behind gray-rollout controls.

Goal

Replace the current in-memory encrypted SQLite snapshot model with a safer persistent database architecture that can support SQLite, PostgreSQL, and MySQL/MariaDB.

Gray rollout scope

• Existing encrypted SQLite snapshot runtime only.
• No PostgreSQL/MySQL runtime in this gray phase.
• No multi-instance deployment.
• No new schema/data-format migration required by this gray slice.
• Migrated repository domains are gated by DATABASE_LAYER_REPOSITORY_ROLLOUT.
• Gray rollout guide: readme/DATABASE-LAYER-GRAY-ROLLOUT.md

Current progress

• Added the database layer refactor plan and Phase 0 database access audit.
• Added database runtime config and SQLite adapter skeleton.
• Added repository skeletons for settings, users, sessions, hosts, credentials, field encryption, roles, and RBAC access read/write models.
• Migrated database import/export settings reads and admin upserts to SettingsRepository.
• Migrated database export host and credential read/decryption paths to HostRepository and CredentialRepository.
• Migrated database import host and credential duplicate checks plus encrypted creates to HostRepository and CredentialRepository.
• Migrated settings, session, user, API key, trusted device, credential read/usage, SSO provider, audit log, user preference, open tab, dismissed alert, homepage layout, homepage item, network topology, dashboard service link, session recording, command history, recent activity cleanup, SSH credential usage, transfer recent, file manager bookmarks, C2S tunnel presets, tmux session tags, OPKSSH tokens, Vault tokens, Vault profiles, host metrics preferences, host health, host metrics history, alert persistence, user data export reads, host folders, host resolution, role, and RBAC access paths behind current repository boundaries where listed in the gray guide.
• Migrated dismissed alert active filtering, dismiss/undismiss, dismissed list, user export, user deletion cleanup, password-reset encrypted-data cleanup, and database import/export dismissed alert reads/writes to DismissedAlertRepository.
• Migrated homepage layout read/write to HomepageLayoutRepository.
• Migrated homepage item list/create/update/delete to HomepageItemRepository.
• Migrated network topology read/write and user cleanup to NetworkTopologyRepository.
• Migrated dashboard service link list/create/update/delete to DashboardServiceLinkRepository.
• Migrated session recording create/list/read/content/delete/prune plus host/folder/user cleanup to SessionRecordingRepository.
• Migrated terminal and host command history save/list/delete plus host/folder/user cleanup to CommandHistoryRepository.
• Migrated recent activity host/folder/user/password-reset cleanup to RecentActivityRepository.
• Migrated SSH credential usage writes, database export reads, and host/folder/user/password-reset cleanup to SshCredentialUsageRepository.
• Migrated transfer recent list/upsert/prune/export and host/folder/user cleanup to TransferRecentRepository.
• Migrated file manager recent/pinned/shortcut list/create/delete/export and host/folder/user/password-reset cleanup to FileManagerBookmarkRepository.
• Migrated database import/export file-manager recent/pinned/shortcut target reads and writes to FileManagerBookmarkRepository.
• Migrated C2S tunnel preset list/create/update/delete to C2sTunnelPresetRepository.
• Migrated tmux session tag list/rename/delete/replace to TmuxSessionTagRepository.
• Migrated OPKSSH token upsert/read/touch/delete and user cleanup to OpksshTokenRepository.
• Migrated Vault token upsert/read/touch/delete to VaultTokenRepository.
• Migrated Vault profile list/create/update/delete and profile lookup to VaultProfileRepository.
• Migrated host metrics layout preference read/upsert and statsConfig widget sync to HostMetricsPreferenceRepository.
• Migrated host health check config and history read/write to HostHealthRepository.
• Migrated host metrics history record/prune/query to HostMetricsHistoryRepository.
• Migrated alert notification channels, rules, linked channels, firings, and alert engine persistence reads/writes to AlertRepository.
• Migrated user data export host and credential read models to UserDataExportRepository.
• Migrated dashboard recent activity list/log/trim/reset to RecentActivityRepository, with dashboard host access checks routed through current host resolution, role, and RBAC access repositories.
• Migrated SSH folder list, metadata upsert, rename, and folder host deletion writes to HostFolderRepository.
• Migrated host, jump-host, Docker SSH, Proxmox discovery, Docker console jump-host, file-manager activity, host metrics, terminal SSH auth, tunnel endpoint credential, credential deployment, command history host-flag, snippet execution, terminal OPKSSH/activity, Vault OIDC profile, Wake-on-LAN resolution, internal host list, and host-key verification host, credential, and shared override read/write models to HostResolutionRepository.
• Migrated Guacamole host-token host and protocol credential reads to HostResolutionRepository while preserving request-user credential decryption behavior.
• Migrated credential create/update encrypted writes to CredentialRepository, preserving user-key field encryption and system-key copies for shared credentials.
• Migrated credential system-key copy backfill migration to current credential and shared credential repository boundaries.
• Centralized legacy user field-encryption migration SQL behind RawSqliteUserEncryptionMigrationStore, leaving DataCrypto and LazyFieldEncryption on a storage boundary.
• Migrated auth login lazy user-field encryption migration to the DataCrypto current-runtime migration boundary, removing direct SQLite opening from auth-manager.ts and keeping current SQLite resolution behind createCurrentUserEncryptionMigrationStore.
• Migrated user, admin, TOTP, OIDC account, and credential migration explicit saves to DatabaseSaveTrigger, removing direct SQLite snapshot-save imports from those routes.
• Initialized the current SQLite snapshot save trigger after database startup regardless of file-encryption mode, routed backend shutdown through that save boundary, and routed current user-field migration saves through DatabaseSaveTrigger.
• Isolated database import SQLite foreign-key toggling behind withSqliteForeignKeysDisabled, restoring constraints through a finally path, routed the import route through the current SQLite boundary without importing getDb(), and centralized current SQLite resolution through current-repository-runtime.
• Centralized legacy unencrypted SQLite copy and verification behind LegacySqliteDatabaseCopyStore, leaving DatabaseMigration as the file backup/encrypt/rename orchestrator.
• Migrated credential delete host cleanup and apply-to-host writes to HostRepository.
• Migrated Termix ID credential lookup, generated credential persistence, and generated credential cleanup to CredentialRepository.
• Added the termix_identity repository rollout domain and migrated Termix ID identity handle CRUD/resolution, public key publish/list/update/delete, linked credential lookup, and certificate target key lookup to TermixIdentityRepository.
• Added the termix_identity_ca repository rollout domain and migrated Termix ID CA public lookup, encrypted private-key create/rotate/delete, and certificate signing reads to TermixIdentityCaRepository.
• Migrated users route setup/count/db-health, password-login TOTP guard, last-admin delete guard reads, database import/export user checks, and user-deletion key/device/dashboard/homepage/health/metrics/alerts/Termix-ID/tmux/C2S/Vault cleanup to current repository boundaries.
• Migrated LDAP first-user provisioning and admin-group user creation to UserRepository.
• Migrated host route quick-connect and credential resolution reads to HostResolutionRepository.
• Migrated host route update readback, single-host fetch, password-field fetch, and host export reads to HostResolutionRepository.
• Migrated host route create/update encrypted writes to HostRepository, preserving user-key field encryption.
• Migrated host route update-state and delete-audit host reads to HostResolutionRepository.
• Migrated host route delete final host-row writes and audit actor username lookups to HostRepository and UserRepository.
• Migrated host route own/shared list assembly reads to HostResolutionRepository while preserving route-level own-host decryption.
• Migrated host bulk-update state reads, non-sensitive bulk flag/config writes, and JSON plus SSH-config import encrypted create/update writes to HostRepository, with overwrite lookup and credential fallback reads routed through current host resolution and credential repositories.
• Migrated host autostart enable, disable, status, and endpoint-host resolution paths to HostRepository.
• Added the snippets repository rollout domain and migrated snippet folder list, owned lookup, visible-list owned reads, reorder, create/update/delete, export reads, bulk import, and folder create/metadata/rename/delete writes to SnippetRepository.
• Migrated user deletion and password-reset data-discard snippet cleanup to SnippetRepository, and host folder record cleanup to HostFolderRepository.
• Migrated RBAC route host/snippet owner checks and direct host-access override credential existence reads to current host, snippet, and credential repository boundaries.
• Added the shared_credentials repository rollout domain and migrated shared credential material create/update/delete, pending re-encryption, and user cleanup persistence to SharedCredentialRepository.
• Removed unlock-only SimpleDBOps dependencies from host metrics, host metrics viewer, tmux monitor, Docker, tunnel, and Proxmox paths; those gates now use DataCrypto directly.
• Removed the legacy SimpleDBOps compatibility helper after source imports reached zero.
• Added repository rollout parsing, startup logging, admin status visibility, and fail-closed domain guards for the migrated gray slice.
• Added automatic database-layer pre-upgrade backup before database startup; existing SQLite snapshot files and .env are copied under <DATA_DIR>/backups/pre-database-layer-refactor-<timestamp>/, with a marker to avoid repeat backups and fail-closed startup unless explicitly skipped.
• Added current-repository-runtime and migrated settings, user, host, API key, session, trusted device, audit log, user preference, open tab, dismissed alert, homepage layout/item, network topology, dashboard service link, session recording, command history, recent activity, transfer recent, file-manager bookmark, C2S tunnel preset, tmux session tag, OPKSSH token, Vault token/profile, SSH credential usage, role, SSO provider, host folder, alert, host health, host metrics preference/history, credential, host resolution, snippet, shared credential, Termix ID identity/CA, RBAC access, and user data export current repository factories to shared SQLite context and write-save hook construction.

Gray controls

• DATABASE_LAYER_REPOSITORY_ROLLOUT=all enables all migrated repository domains.
• DATABASE_LAYER_REPOSITORY_ROLLOUT=settings,users,sessions,api_keys,trusted_devices,credentials,termix_identity,termix_identity_ca,hosts,snippets,sso_providers,audit_logs,user_preferences,open_tabs,dismissed_alerts,homepage_layouts,homepage_items,network_topology,dashboard_service_links,session_recordings,command_history,recent_activity,ssh_credential_usage,transfer_recent,file_manager_bookmarks,c2s_tunnel_presets,tmux_session_tags,opkssh_tokens,vault_tokens,vault_profiles,host_metrics_preferences,host_health,host_metrics_history,alerts,user_data_exports,host_folders,host_resolution,roles,rbac_access,shared_credentials enables the intended gray slice explicitly.
• DATABASE_LAYER_REPOSITORY_ROLLOUT=off disables migrated repository domains and fails closed.
• Partial allowlists are supported for staging checks, for example settings,users.
• Startup logs operation repository_rollout_config with the parsed mode and domains.
• Admin GET /database/migration/status includes repositoryRollout for live gray verification.
• Rollout startup/status warnings flag implicit, disabled, or partial configurations.
• DATABASE_LAYER_SKIP_PREUPGRADE_BACKUP=1 bypasses the automatic pre-upgrade backup only when an external backup has already been verified.
• DATABASE_LAYER_PREUPGRADE_BACKUP_KEEP=<count> controls how many automatic pre-upgrade backups are retained; the default is 3.

Pre-gray validation

• npm run type-check
• targeted eslint for rollout/current repositories, SSO provider repository, audit log repository, user preference repository, open tab repository, dismissed alert repository, homepage layout repository, homepage item repository, network topology repository, dashboard service link repository, session recording repository, command history repository, recent activity repository, SSH credential usage repository, transfer recent repository, file manager bookmark repository, C2S tunnel preset repository, tmux session tag repository, OPKSSH token repository, Vault token repository, Vault profile repository, host metrics preference repository including statsConfig widget sync, host health repository, host metrics history repository, alert repository, user data export repository, host folder repository, host resolution repository, RBAC access repository, RBAC/snippet/host/credential/delete-user/open-tabs/user-preferences/user-admin/LDAP/users/OIDC/SSO-provider/audit/folder/file-manager-bookmark/C2S/alerts/homepage-layout/homepage-items/network-topology/dashboard-service-link/session-log/host-command-history/terminal/password-reset routes, terminal-session-manager.ts, tmux-monitor.ts, opkssh-auth.ts, vault-signer-auth.ts, vault-oidc-auth.ts, host-resolver.ts, host-metrics-preferences-routes.ts, managers/health.ts, host-metrics.ts, host-metrics-history-routes.ts, alert-engine.ts, user-data-export.ts, audit-logger.ts, permission-manager.ts, shared-credential-manager.ts, and starter.ts
• targeted database-layer pre-upgrade backup and rollout test set: 2 files, 14 tests
• targeted host-resolution/permission-manager repository test set: 2 files, 18 tests
• targeted host/credential/rollout repository test set: 2 files, 20 tests
• targeted credential system-key migration test set: 2 files, 14 tests
• targeted user encryption migration storage test set: 2 files, 4 tests
• targeted legacy SQLite migration copy test set: 2 files, 4 tests
• targeted database settings import/export repository test set: 2 files, 7 tests
• targeted database host/credential export/import repository test set: 1 file, 16 tests
• targeted database file-manager import/export repository test set: 1 file, 4 tests
• targeted database dismissed-alert/SSH-credential-usage import/export repository test set: 2 files, 6 tests
• migrated repository gray test set including host metrics history, alerts, and user data export reads: 33 files, 107 tests
• users direct access scan now reports 11 text matches; these are comments, permission strings, or non-database user manager references
• database import/export users table direct access now reports 0 matches; remaining users text is route naming or SQLite export file format
• ldap-auth-routes direct DB/schema/SQLite query scan now reports 0 matches
• sessions direct access scan now reports 4 route text matches; these are comments or open-tab runtime session mapping, not database session table writes
• hostAccess direct route/utils scan now reports 0 matches
• shared-credential-manager userRoles direct scan now reports 0 matches
• user deletion role cleanup direct scan now reports 0 matches in delete-user-data.ts
• user-admin role sync direct scan now reports 0 matches in user-admin-routes.ts
• LDAP role sync direct scan now reports 0 matches in ldap-auth-routes.ts
• users route role assignment direct scan now reports 0 matches in users.ts
• route/utils userRoles direct scan now reports 0 matches
• route/utils ssoProviders direct scan now reports 0 matches
• route/utils auditLogs direct scan now reports 0 matches
• route/utils userPreferences direct scan now reports 0 matches
• route/utils userOpenTabs direct scan now reports 0 matches
• route/utils dismissedAlerts database access scan now reports 0 matches; remaining dismissedAlerts text is export JSON field metadata
• route/utils homepageLayouts database access scan now reports 0 matches
• route/utils homepageItems database access scan now reports 0 matches
• route/utils networkTopology database access scan now reports 0 matches
• route/utils dashboardServiceLinks database access scan now reports 0 matches
• route/utils sessionRecordings database access scan now reports 0 matches
• route/utils commandHistory database access scan now reports 0 matches
• route/utils recentActivity database access scan now reports 0 matches
• route/utils sshCredentialUsage database access scan now reports 0 matches
• route/utils transferRecent database access scan now reports 0 matches; remaining transferRecent text is export JSON field metadata or repository-owned access
• route/utils fileManagerRecent/fileManagerPinned/fileManagerShortcuts database access scan now reports 0 matches; remaining bookmark text is export JSON field metadata or repository-owned access
• route/utils c2sTunnelPresets database access scan now reports 0 matches
• route/utils/ssh tmuxSessionTags database access scan now reports 0 matches
• route/utils/ssh opksshTokens database access scan now reports 0 matches
• route/utils/ssh vaultTokens database access scan now reports 0 matches
• route/utils/ssh vaultProfiles database access scan now reports 0 matches
• route/utils/ssh hostMetricsPreferences database access scan now reports 0 matches; remaining host_metrics_preferences text is save-reason metadata
• host-metrics-preferences-routes direct stats_config update scan now reports 0 matches; remaining stats_config text is explanatory comment metadata
• route/utils/ssh hostHealthChecks/hostHealthHistory database access scan now reports 0 matches
• route/utils/ssh hostMetricsHistory database access scan now reports 0 matches
• route/utils/ssh alert_rules/notification_channels/alert_rule_channels/alert_firings database access scan now reports 0 matches; remaining alert_rules/alert_firings text is logger operation metadata
• user-data-export direct host/credential database access scan now reports 0 matches
• host-folder-routes direct DB/schema access scan now reports 0 matches
• host-resolver direct DB/schema/SimpleDBOps access scan now reports 0 matches
• jump-host helper direct DB/schema/SimpleDBOps access scan now reports 0 matches in jump-host-chain.ts, terminal-jump-hosts.ts, and host-metrics-jump-hosts.ts
• docker-console jump-host direct DB/schema/SimpleDBOps access scan now reports 0 matches
• docker SSH resolution direct DB/schema/SimpleDBOps data access scan now reports 0 matches
• proxmox discovery direct DB/schema/SimpleDBOps data access scan now reports 0 matches
• file-manager activity host lookup direct DB/schema/SimpleDBOps access scan now reports 0 matches
• host-metrics resolution direct DB/schema/SimpleDBOps data access scan now reports 0 matches
• terminal SSH auth credential direct DB/schema/SimpleDBOps access scan now reports 0 matches
• tunnel endpoint credential direct DB/schema/SimpleDBOps data access scan now reports 0 matches
• credential deployment resolution direct DB/schema/SimpleDBOps access scan now reports 0 matches
• command history host-flag direct DB/schema access scan now reports 0 matches
• snippet execution resolution direct DB/schema/SimpleDBOps access scan now reports 0 matches
• terminal OPKSSH/activity host resolution direct DB/schema/SimpleDBOps access scan now reports 0 matches
• Vault OIDC profile host resolution direct DB/schema access scan now reports 0 matches
• Wake-on-LAN host resolution direct DB/schema access scan now reports 0 matches
• internal host list direct DB/schema access scan now reports 0 matches
• host-key verifier direct DB/schema access scan now reports 0 matches
• credentials list/folder/detail read path direct DB/schema access scan now reports 0 matches
• credential update lookup/readback direct DB/schema access scan now reports 0 matches
• credentials.ts direct DB/schema/SimpleDBOps scan now reports 0 matches
• termix-id ssh credential direct DB/schema/SimpleDBOps scan remains 0 matches
• credential-system-encryption-migration direct DB/schema scan now reports 0 matches
• DataCrypto/LazyFieldEncryption direct SQL/prepare scan now reports 0 matches; legacy SQLite SQL is isolated in RawSqliteUserEncryptionMigrationStore
• DataCrypto direct getDb/getSqlite scan now reports 0 matches; current SQLite access is isolated in createCurrentUserEncryptionMigrationStore and resolves through current-repository-runtime
• auth-manager lazy encryption migration getSqlite scan now reports 0 matches; current SQLite access is isolated behind the user encryption migration store factory
• user/admin/TOTP/OIDC account route direct saveMemoryDatabaseToFile scan now reports 0 matches; remaining snapshot saves are shutdown and DataCrypto migration boundaries
• targeted user TOTP/session repository save-boundary test set: 2 files, 13 tests
• targeted database save trigger boundary test set: 1 file, 2 tests
• targeted SQLite foreign-key import and user-encryption migration runtime boundary test set: 2 files, 5 tests
• direct saveMemoryDatabaseToFile scan outside db/index now reports 0 matches
• database import route direct PRAGMA foreign_keys exec scan now reports 0 matches; foreign-key toggling is runtime-boundary-owned
• database import route direct getDb/getSqlite scan now reports 0 matches; backend-wide getDb/getSqlite scan now reports only db/index definitions and current-repository-runtime usage
• settings/user/host current repository factory direct getDb/getSqlite/DatabaseSaveTrigger construction now routes through current-repository-runtime
• database-migration direct SQLite prepare/open/serialize scan now reports 0 matches; legacy copy SQL is isolated in LegacySqliteDatabaseCopyStore
• database import/export settings direct settings-table access now reports 0 matches outside SettingsRepository
• database export/import host/credential direct table/encryption access now reports 0 matches
• database import/export file-manager direct target-table access now reports 0 matches in database.ts; remaining file_manager_* text is legacy SQLite import/export file format
• database import/export dismissedAlerts/sshCredentialUsage direct target-table access now reports 0 matches in database.ts; remaining text is summary variables or repository-owned access
• SimpleDBOps/simple-db-ops source scan now reports 0 matches; remaining mentions are historical docs only
• termix-id identity/key/CA route direct DB/schema/SimpleDBOps scan now reports 0 matches
• termix-id CA private-key persistence SimpleDBOps/termixIdentityCa route scan remains 0 matches
• targeted Termix ID identity/CA repository/rollout/route test set: 4 files, 20 tests
• targeted user deletion Termix-ID/tmux cleanup test set: 3 files, 13 tests
• host.ts sshCredentials direct access scan now reports 0 matches
• host.ts migrated readback/fetch/export direct SimpleDBOps host read scan now reports 0 matches
• host.ts update-state and delete-audit direct host read scan now reports 0 matches
• host.ts direct DB/schema/SimpleDBOps scan now reports 0 matches; host list assembly is behind HostResolutionRepository
• host-bulk-routes direct DB/schema/SimpleDBOps scan now reports 0 matches
• host-autostart-routes direct DB/schema/SimpleDBOps scan now reports 0 matches
• targeted host bulk repository test set: 2 files, 23 tests
• targeted host repository test set: 1 file, 10 tests
• targeted settings/user/host current repository runtime test set: 3 files, 29 tests
• targeted API key/session/trusted-device/audit-log/user-preference/open-tab/dismissed-alert/homepage/network-topology current repository runtime test set: 10 files, 28 tests
• targeted user deletion API-key/trusted-device cleanup test set: 3 files, 13 tests
• targeted user deletion C2S/Vault cleanup test set: 3 files, 10 tests
• targeted dashboard-service/recording/command-history/recent-activity/transfer/file-manager current repository runtime test set: 6 files, 16 tests
• targeted user deletion dashboard/homepage cleanup test set: 3 files, 9 tests
• targeted C2S/tmux/OPKSSH/Vault/SSH-usage current repository runtime test set: 6 files, 16 tests
• targeted role/SSO/host-folder/alert/host-health/host-metrics current repository runtime test set: 7 files, 26 tests
• targeted user deletion alert cleanup test set: 1 file, 6 tests
• final targeted user deletion cleanup test set: 14 files, 51 tests
• targeted user deletion host-health/host-metrics cleanup test set: 2 files, 7 tests
• targeted credential/host-resolution/snippet/shared-credential/Termix-ID/user-data-export current repository runtime test set: 7 files, 55 tests
• targeted RBAC access repository runtime test set: 1 file, 15 tests
• current repository factory direct runtime construction scan now reports 0 matches; RBAC access current factory now uses shared SQLite context and write-save hook construction, and RBAC repository tests freeze active access time for role-expiry coverage
• snippets folder-list/owned-lookup/export direct DB read scan now reports 0 matches
• snippets folder create/metadata/rename/delete direct DB route scan now reports 0 matches
• snippets reorder/visible-list/create/update/delete direct DB route scan now reports 0 matches
• snippets.ts direct DB/schema/Drizzle route scan now reports 0 matches
• targeted snippet repository test set: 1 file, 14 tests
• targeted snippet repository/rollout test set: 2 files, 12 tests
• rbac.ts direct host/snippet/credential DB/schema access scan now reports 0 matches
• targeted host/snippet/credential repository test set: 3 files, 36 tests
• users.ts direct user DB/schema/SQLite query scan now reports 0 matches
• delete-user-data and password-reset direct DB/schema scan now reports 0 matches; user deletion now explicitly clears API keys, trusted devices, dashboard links, homepage layout/items, host health checks/history, host metrics preferences, alert firings/rules/channels, Termix ID identity/CA, tmux session tags, C2S presets, Vault tokens, and Vault profiles through current repositories before deleting the user
• targeted user route/repository test set: 3 files, 32 tests
• targeted user/session repository test set: 1 file, 7 tests
• user deletion/password-reset snippet and host-folder cleanup direct route scan now reports 0 matches
• targeted snippet/host-folder cleanup repository test set: 2 files, 19 tests
• shared-credential-manager and delete-user-data direct shared credential DB/schema access scan now reports 0 matches
• targeted shared credential repository/rollout test set: 2 files, 12 tests
• unlock-only SimpleDBOps dependency scan now reports 0 matches across host metrics, host metrics viewer, tmux monitor, Docker, tunnel, and Proxmox paths
• targeted tmux monitor helper test set: 1 file, 13 tests
• dashboard.ts direct DB/schema/SimpleDBOps access scan now reports 0 matches
• targeted dashboard activity repository/access-boundary test set: 3 files, 23 tests
• guacamole/routes.ts direct DB/schema/SimpleDBOps access scan now reports 0 matches
• targeted guacamole host-resolution/token test set: 2 files, 15 tests
• credential apply usage and credential-host list migrated path direct DB/schema access scan now reports 0 matches
• credential folder rename direct DB/schema access scan now reports 0 matches
• shared-credential-manager sshCredentials direct access scan now reports 0 matches
• user cleanup host/credential delete direct DB/schema access scan now reports 0 matches
• credential delete lookup/host-list/delete direct DB/schema access scan now reports 0 matches
• permission-manager host owner direct DB/schema access scan now reports 0 matches
• hostAccess/userRoles direct scan remains 0 in host.ts
• snippetAccess direct access scan remains 0 across route and utils modules
• git diff --check
• forbidden attribution scan; only DOMAIN_ALIASES/DOMAINS identifier text matched the broad AI substring check
• termix-id route import test has a local 15s timeout because the mocked router import can exceed Vitest's 5s default under the full gray suite

Intended direction

• keep this PR draft until gray evidence is attached
• keep gray rollout explicit for every migrated repository domain
• introduce a database adapter boundary
• move direct DB access behind repositories/services
• keep runtime SSH/WebSocket/tunnel state in memory only
• move persistence to real database writes and migrations
• preserve security through field-level/envelope encryption for sensitive data
• provide a migration path from the current encrypted SQLite snapshot