[SECURITY] Database encryption-at-rest (SQLCipher) deferred post-launch

[matthewod11-stack]

Description

Local employee database is not cryptographically encrypted at rest. Current posture relies on macOS filesystem protections (strict file permissions 0600, Keychain-backed API key storage), but SQLite content is plaintext if host-level filesystem access is obtained.

Current State

• DB file permissions set to 0600 (owner-only)
• API keys stored in macOS Keychain (not in SQLite)
• macOS sandbox and Gatekeeper provide additional protection
• Audit review flagged this in 2026-02-06

Why Deferred

Intentionally deferred to post-launch to avoid destabilizing release-critical functionality. SQLCipher migration requires:

• Evaluate SQLCipher integration with Tauri/SQLx
• Plan migration path for existing unencrypted databases
• Test: open, create, migrate, backup, restore all work with encryption
• Performance benchmarking (SQLCipher adds overhead to every query)
• Key management design (derive from user password? Store in Keychain?)

Verification

• cargo test --manifest-path src-tauri/Cargo.toml passes after migration
• Existing databases migrate transparently
• Backup/restore works with encrypted DB

Automation Hints

scope: src-tauri/src/db.rs, src-tauri/Cargo.toml
do-not-touch: src/components/
approach: add-migration
risk: high
max-files-changed: 5
blocked-by: none
bail-if: existing database migration fails or performance degrades >20%

Priority

Low