feat: encrypted data + credential vaults, and the private-data onboarding architecture (ADRs 045–049)#1
Merged
Conversation
Robust ignore rules for 'Stu Health Data/', PHI file types, and /private/ so real health data and credentials can never be staged in this public repo. Verified via git check-ignore + git add -A --dry-run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb
PersistentVaultStore (redb-backed) seals ProvRecords with XChaCha20- Poly1305 so they survive a restart. CredentialVault derives a key from a master passphrase via Argon2id and seals per-source logins; wrong passphrase is rejected, Debug is redacted. Both behind a non-default 'persist' feature so default/WASM builds stay redb/argon2-free. Proven: round-trip across reopen, wrong-key/tamper reject, zero plaintext on disk; cargo test + clippy -D warnings green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb
Helix-Build-Spec.md (onboarding + proactive analyst delivery plan); product spec figures numbered with captions + cross-refs; ADR-045..049 (credential vault, agentic-browser acquisition, single-tenant local-first topology, AIMDS guardrails, scheduled per-source pulls). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb
ruvnet
added a commit
that referenced
this pull request
Jul 1, 2026
…erience (#2) * chore(security): gitignore private health data & secrets Robust ignore rules for 'Stu Health Data/', PHI file types, and /private/ so real health data and credentials can never be staged in this public repo. Verified via git check-ignore + git add -A --dry-run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb * feat(helix-vault): persistent + credential vaults, encrypted at rest PersistentVaultStore (redb-backed) seals ProvRecords with XChaCha20- Poly1305 so they survive a restart. CredentialVault derives a key from a master passphrase via Argon2id and seals per-source logins; wrong passphrase is rejected, Debug is redacted. Both behind a non-default 'persist' feature so default/WASM builds stay redb/argon2-free. Proven: round-trip across reopen, wrong-key/tamper reject, zero plaintext on disk; cargo test + clippy -D warnings green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb * docs: build spec, numbered figures, ADRs 045-049 Helix-Build-Spec.md (onboarding + proactive analyst delivery plan); product spec figures numbered with captions + cross-refs; ADR-045..049 (credential vault, agentic-browser acquisition, single-tenant local-first topology, AIMDS guardrails, scheduled per-source pulls). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb * feat(helix-demo): full synthetic demo persona across all 6 domains New helix-demo crate: a deterministic generator for the fictional persona 'Alex Rivera' (clearly labeled SAMPLE) with 2,650 records + 3 meds + 2 clinician notes across Apple Watch, Lose It, RENPHO (~50-metric panel), Quest labs, pharmacy, and EMR -- one coherent, grounded story (mild iron deficiency + sleep + improving body-comp + borderline lipids; no false alarms). Wired into the UI (ui/demo-dossier.json) so the app boots a rich dossier through the REAL pipeline. cargo test -p helix-demo 13 passed; workspace green; clippy clean; verified live in headless Chrome. Stacks on #1; diff reduces to just the demo once #1 merges. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb * style: apply cargo fmt to helix-demo (CI fmt gate) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: ruv <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR lays the secure, tested foundation that turns Helix from a stateless analyzer into a platform that can safely hold a person's health data and pull it in automatically — while keeping the local-first, user-owned promise of ADR-001.
It adds two encrypted vaults, the full architecture for automated multi-source data acquisition (5 new ADRs), the delivery spec, and completes the product-spec figure integration.
What's included
🔐
helix-vault— two encrypted stores (feature-gated, fully tested)PersistentVaultStoreProvRecords with XChaCha20-Poly1305, persists viaredb— data survives a process restart. Closes the "everything evaporates on close" gap.CredentialVaultDebugis redacted, and there is zero plaintext on disk — proven by reading the raw file bytes in-test.Proof — all green:
📐 Architecture — ADRs 045–049 (the automated-onboarding design)
.env)📄 Docs & figures
docs/Helix-Build-Spec.md— the onboarding + proactive-analyst delivery plan (phased, with verifiable milestones).Why this is safe to merge
todo!()/unimplemented!();clippy -D warningsclean.argon2/redbcompile only underpersist; default + WASM builds unchanged.git log --name-only+git add -A --dry-run).How to verify locally
What's next (separate PRs on this foundation)
Source connectors (Apple Health, RENPHO, Quest, pharmacy, EMR, Lose It), the per-source scheduler, the
helix credsintake CLI, and a full synthetic demo persona — each will land as its own reviewed PR.🤖 Generated with Claude Code
https://claude.ai/code/session_01NsEPAr9R7jXAJcEYFN4acb