Merge pull request #558 from lanedirt/557-prepare-0111-release

Bump version to 0.11.1

.dockerignore

@@ -22,4 +22,17 @@
 **/secrets.dev.yaml
 **/values.dev.yaml
 LICENSE
-README.md
+README.md
+
+# Exclude AliasVault data directories
+database/
+logs/
+certificates/
+
+# Exclude git directory
+.git/
+
+# Exclude development files
+*.log
+*.env
+*.env.*

.env.example

@@ -1 +1,10 @@
+HOSTNAME=
 JWT_KEY=
+DATA_PROTECTION_CERT_PASS=
+ADMIN_PASSWORD_HASH=
+ADMIN_PASSWORD_GENERATED=2024-01-01T00:00:00Z
+PRIVATE_EMAIL_DOMAINS=
+SMTP_TLS_ENABLED=false
+LETSENCRYPT_ENABLED=false
+POSTGRES_PASSWORD=
+SUPPORT_EMAIL=

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Report a bug or unexpected behavior.
+title: "[BUG] "
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for AliasVault
+title: '[Feature Request] '
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+## Description
+
+Please include a summary of the changes and the related issue(s).
+- [ ] Bug fix
+- [ ] Feature enhancement
+- [ ] Documentation update
+- [ ] Other (please describe):
+
+## Related Issues
+
+Link to any issues that this PR addresses:
+Fixes #[issue-number]
+
+## Checklist
+
+- [ ] Code adheres to project standards and guidelines.
+- [ ] Documentation has been updated where applicable.
+
+## Additional Information
+
+Add any additional context, screenshots, or explanations here.

.github/dependabot.yml

@@ -0,0 +1,53 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+    # Enable version updates for NuGet
+    - package-ecosystem: "nuget"
+      directory: "/"
+      target-branch: "main"
+      open-pull-requests-limit: 10
+      labels:
+          - "dependencies"
+      # Check for updates once a week
+      schedule:
+          day: "monday"
+          time: "09:00"
+          interval: "weekly"
+        # Ignore certain dependencies (optional)
+        # ignore:
+        #   - dependency-name: "SomePackage"
+        #     versions: ["4.x", "5.x"]
+
+    # Enable version updates for npm
+    - package-ecosystem: "npm"
+      # Look for `package.json` and `lock` files in the `root` directory
+      directory: "/"
+      # Check for updates once a week
+      schedule:
+          day: "monday"
+          time: "09:00"
+          interval: "weekly"
+
+    # Enable version updates for Docker
+    - package-ecosystem: "docker"
+      # Look for a `Dockerfile` in the `root` directory
+      directory: "/"
+      # Check for updates once a week
+      schedule:
+          day: "monday"
+          time: "09:00"
+          interval: "weekly"
+
+    # Enable version updates for Composer
+    - package-ecosystem: "composer"
+      # Look for a `Dockerfile` in the `root` directory
+      directory: "/"
+      # Check for updates once a week
+      schedule:
+          day: "monday"
+          time: "09:00"
+          interval: "weekly"

.github/release.yml

@@ -9,9 +9,9 @@ changelog:
         labels:
           - dependencies
           - bug
-    - title: 🧩 Dependencies Updates
-      labels:
-        - dependencies
     - title: 🐞 Bug Fixes
       labels:
         - bug
+    - title: 🧩 Dependencies Updates
+      labels:
+        - dependencies

.github/workflows/docker-compose-build.yml

@@ -9,41 +9,95 @@ on:
 jobs:
   test-docker:
     runs-on: ubuntu-latest
+
     services:
       docker:
         image: docker:26.0.0
         options: --privileged
+
     steps:
       - uses: actions/checkout@v2
-      - name: Set permissions and run init.sh
+
+      - name: Create .env file with custom SMTP port as port 25 is not allowed in GitHub Actions
         run: |
-          chmod +x init.sh
-          ./init.sh
-      - name: Set up Docker Compose
+          echo "SMTP_PORT=2525" > .env
+
+      - name: Set permissions and run install.sh
         run: |
-            # Build the images and start the services
-            docker compose -f docker-compose.yml up -d
-      - name: Wait for services to be up
-        run: |
-            # Wait for a few seconds
-            sleep 5
-      - name: Test if localhost:80 (WASM app) responds
-        run: |
-            # Test if the service on localhost:80 responds
-            http_code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:80)
-            if [ "$http_code" -ne 200 ]; then
-              echo "Service did not respond with 200 OK"
+          chmod +x install.sh
+          ./install.sh build --verbose
+
+      - name: Test if services are responding
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 5
+          max_attempts: 5
+          command: |
+            sleep 15
+
+            # Array of endpoints to test
+            declare -A endpoints=(
+              ["WASM"]="https://localhost:443"
+              ["WebApi"]="https://localhost:443/api"
+              ["Admin"]="https://localhost:443/admin/user/login"
+            )
+
+            failed=false
+
+            # Test HTTP endpoints
+            for name in "${!endpoints[@]}"; do
+              url="${endpoints[$name]}"
+              echo "Testing $name at $url"
+
+              # Store both response body and HTTP code
+              response=$(curl -k -s -w "\nHTTP_CODE=%{http_code}" "$url")
+              http_code=$(echo "$response" | grep "HTTP_CODE=" | cut -d= -f2)
+              body=$(echo "$response" | sed '$d')  # Remove the last line (HTTP_CODE)
+
+              if [ "$http_code" -ne 200 ]; then
+                echo "❌ $name failed with HTTP $http_code at $url"
+                echo "Response body:"
+                echo "$body"
+                failed=true
+              else
+                echo "✅ $name responded with HTTP 200"
+              fi
+            done
+
+            # Test SMTP
+            echo "Testing SmtpService at localhost:2525"
+            if ! nc -zv localhost 2525 2>&1 | grep -q 'succeeded'; then
+              echo "❌ SmtpService failed to respond on port 2525"
+              failed=true
+            else
+              echo "✅ SmtpService responded successfully"
+            fi
+
+            # Exit with error if any service failed
+            if [ "$failed" = true ]; then
+              # Get container logs
+              echo "Container Logs admin:"
+              docker compose logs admin
+              echo "Container Logs api:"
+              docker compose logs api
+              echo "Container Logs client:"
+              docker compose logs client
+              echo "Container Logs smtp:"
+              docker compose logs smtp
+              echo "Container Logs reverse-proxy:"
+              docker compose logs reverse-proxy
+
+              # Restart containers for next test in case of failure
+              docker compose restart
               exit 1
-            else
-              echo "Service responded with 200 OK"
             fi
-      - name: Test if localhost:81 (WebApi) responds
+
+      - name: Test install.sh reset-password output
         run: |
-            # Test if the service on localhost:81 responds
-            http_code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:81)
-            if [ "$http_code" -ne 200 ]; then
-                echo "Service did not respond with expected 200 OK. Check if all DB migrations are applied."
-                exit 1
-            else
-                echo "Service responded with $http_code"
-            fi
+          output=$(./install.sh reset-password)
+          if ! echo "$output" | grep -E '.*New admin password: [A-Za-z0-9+/=]{8,}.*'; then
+            echo "Password reset output format is incorrect"
+            echo "Expected: 'New admin password: <at least 8 base64 chars>'"
+            echo "Actual: $output"
+            exit 1
+          fi

.github/workflows/docker-compose-pull.yml

@@ -0,0 +1,133 @@
+# This workflow will test if pulling the latest Docker Compose containers from the registry works.
+name: Docker Compose Pull
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  test-docker:
+    runs-on: ubuntu-latest
+
+    services:
+      docker:
+        image: docker:26.0.0
+        options: --privileged
+
+    steps:
+      - name: Get repository and branch information
+        id: repo-info
+        run: |
+          # Check if this is a PR from a fork
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then
+            # If PR is from a fork, use main branch from lanedirt/AliasVault
+            echo "REPO_FULL_NAME=lanedirt/AliasVault" >> $GITHUB_ENV
+            echo "BRANCH_NAME=main" >> $GITHUB_ENV
+          else
+            # Otherwise use the current repository and branch
+            echo "REPO_FULL_NAME=${GITHUB_REPOSITORY}" >> $GITHUB_ENV
+            echo "BRANCH_NAME=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV
+          fi
+
+      - name: Download install script from current branch
+        run: |
+          INSTALL_SCRIPT_URL="https://raw.githubusercontent.com/$REPO_FULL_NAME/$BRANCH_NAME/install.sh"
+          echo "Downloading install script from: $INSTALL_SCRIPT_URL"
+          curl -f -o install.sh "$INSTALL_SCRIPT_URL"
+
+      - name: Create .env file with custom SMTP port as port 25 is not allowed in GitHub Actions
+        run: |
+          echo "SMTP_PORT=2525" > .env
+
+      - name: Set permissions and run install.sh
+        id: install_script
+        continue-on-error: true
+        run: |
+          chmod +x install.sh
+          ./install.sh install --verbose
+
+      - name: Check if failure was due to version mismatch
+        if: steps.install_script.outcome == 'failure'
+        run: |
+          if grep -q "Install script needs updating to match version" <<< "$(./install.sh install --verbose 2>&1)"; then
+            echo "Test skipped: Install script version is newer than latest release version. This is expected behavior if the install script is run on a branch that is ahead of the latest release."
+            exit 0
+          else
+            echo "Test failed due to an unexpected error"
+            exit 1
+          fi
+
+      - name: Set up Docker Compose
+        run: docker compose -f docker-compose.yml up -d
+
+      - name: Wait for services to be up
+        run: |
+            # Wait for a few seconds
+            sleep 10
+      -   name: Test if localhost:443 (WASM app) responds
+          uses: nick-fields/retry@v3
+          with:
+              timeout_minutes: 2
+              max_attempts: 3
+              command: |
+                  http_code=$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:443)
+                  if [ "$http_code" -ne 200 ]; then
+                    echo "Service did not respond with 200 OK. Check if client app and/or nginx is configured correctly."
+                    exit 1
+                  else
+                    echo "Service responded with 200 OK"
+                  fi
+
+      -   name: Test if localhost:443/api (WebApi) responds
+          uses: nick-fields/retry@v3
+          with:
+              timeout_minutes: 2
+              max_attempts: 3
+              command: |
+                  http_code=$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:443/api)
+                  if [ "$http_code" -ne 200 ]; then
+                    echo "Service did not respond with expected 200 OK. Check if WebApi and/or nginx is configured correctly."
+                    exit 1
+                  else
+                    echo "Service responded with $http_code"
+                  fi
+
+      -   name: Test if localhost:443/admin (Admin) responds
+          uses: nick-fields/retry@v3
+          with:
+              timeout_minutes: 2
+              max_attempts: 3
+              command: |
+                  http_code=$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:443/admin/user/login)
+                  if [ "$http_code" -ne 200 ]; then
+                    echo "Service did not respond with expected 200 OK. Check if admin app and/or nginx is configured correctly."
+                    exit 1
+                  else
+                    echo "Service responded with $http_code"
+                  fi
+
+      -   name: Test if localhost:2525 (SmtpService) responds
+          uses: nick-fields/retry@v3
+          with:
+              timeout_minutes: 2
+              max_attempts: 3
+              command: |
+                  if ! nc -zv localhost 2525 2>&1 | grep -q 'succeeded'; then
+                    echo "SmtpService did not respond on port 2525. Check if the SmtpService service is running."
+                    exit 1
+                  else
+                    echo "SmtpService responded on port 2525"
+                  fi
+
+      - name: Test install.sh reset-password output
+        run: |
+          output=$(./install.sh reset-password)
+          if ! echo "$output" | grep -E '.*New admin password: [A-Za-z0-9+/=]{8,}.*'; then
+            echo "Password reset output format is incorrect. Expected format: 'New admin password: <at least 8 base64 chars>'"
+            echo "Actual output: $output"
+            exit 1
+          else
+            echo "Password reset output format is correct"
+          fi

.github/workflows/dotnet-e2e-admin-tests.yml

@@ -0,0 +1,46 @@
+# This workflow will test if running the E2E Admin tests via Playwright CLI works.
+name: .NET E2E Admin Tests (Playwright)
+
+on:
+    push:
+        branches: [ "main" ]
+    pull_request:
+        branches: [ "main" ]
+
+jobs:
+    admin-tests:
+        timeout-minutes: 60
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Setup .NET
+              uses: actions/setup-dotnet@v4
+              with:
+                  dotnet-version: 9.0.x
+
+            - name: Install dependencies
+              run: dotnet workload install wasm-tools
+
+            - name: Build
+              run: dotnet build
+
+            - name: Start dev database
+              run: ./install.sh configure-dev-db start
+
+            - name: Ensure browsers are installed
+              run: pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net9.0/playwright.ps1 install --with-deps
+
+            - name: Run AdminTests with retry
+              uses: nick-fields/retry@v3
+              with:
+                  timeout_minutes: 60
+                  max_attempts: 3
+                  command: dotnet test src/Tests/AliasVault.E2ETests --no-build --verbosity normal --filter "Category=AdminTests"
+
+            - name: Upload Test Results
+              if: always()
+              uses: actions/upload-artifact@v3
+              with:
+                  name: admin-test-results
+                  path: TestResults-Admin.xml

.github/workflows/dotnet-e2e-client-tests.yml

@@ -0,0 +1,43 @@
+# This workflow will test if running the E2E Client tests via Playwright CLI works.
+name: .NET E2E Client Tests (Playwright with Sharding)
+
+on:
+    push:
+        branches: [ "main" ]
+    pull_request:
+        branches: [ "main" ]
+
+jobs:
+    client-tests:
+        timeout-minutes: 60
+        runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                shard: [1, 2, 3, 4, 5]
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Setup .NET
+              uses: actions/setup-dotnet@v4
+              with:
+                  dotnet-version: 9.0.x
+
+            - name: Install dependencies
+              run: dotnet workload install wasm-tools
+
+            - name: Build
+              run: dotnet build
+
+            - name: Start dev database
+              run: ./install.sh configure-dev-db start
+
+            - name: Ensure browsers are installed
+              run: pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net9.0/playwright.ps1 install --with-deps
+
+            - name: Run ClientTests with retry (Shard ${{ matrix.shard }})
+              uses: nick-fields/retry@v3
+              with:
+                  timeout_minutes: 60
+                  max_attempts: 3
+                  command: dotnet test src/Tests/AliasVault.E2ETests --no-build --verbosity normal --filter "FullyQualifiedName~.E2ETests.Tests.Client.Shard${{ matrix.shard }}."

.github/workflows/dotnet-e2e-misc-tests.yml

@@ -0,0 +1,46 @@
+# This workflow will test if running the E2E Misc tests via Playwright CLI works.
+name: .NET E2E Misc Tests (Playwright)
+
+on:
+    push:
+        branches: [ "main" ]
+    pull_request:
+        branches: [ "main" ]
+
+jobs:
+    misc-tests:
+        timeout-minutes: 60
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Setup .NET
+              uses: actions/setup-dotnet@v4
+              with:
+                  dotnet-version: 9.0.x
+
+            - name: Install dependencies
+              run: dotnet workload install wasm-tools
+
+            - name: Build
+              run: dotnet build
+
+            - name: Start dev database
+              run: ./install.sh configure-dev-db start
+
+            - name: Ensure browsers are installed
+              run: pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net9.0/playwright.ps1 install --with-deps
+
+            - name: Run remaining tests with retry
+              uses: nick-fields/retry@v3
+              with:
+                  timeout_minutes: 60
+                  max_attempts: 3
+                  command: dotnet test src/Tests/AliasVault.E2ETests --no-build --verbosity normal --filter "Category!=AdminTests&Category!=ClientTests"
+
+            - name: Upload Test Results
+              if: always()
+              uses: actions/upload-artifact@v3
+              with:
+                  name: misc-test-results
+                  path: TestResults-Misc.xml

.github/workflows/dotnet-integration-tests.yml

@@ -1,7 +1,5 @@
-# This workflow will build a .NET project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
-
-name: Playwright integration tests
+# This workflow will test if running the integration tests works.
+name: .NET Integration Tests
 
 on:
   push:
@@ -15,15 +13,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 8.0.x
+          dotnet-version: 9.0.x
+
     - name: Install dependencies
       run: dotnet workload install wasm-tools
+
     - name: Build
       run: dotnet build
-    - name: Ensure browsers are installed
-      run: pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net8.0/playwright.ps1 install --with-deps
-    - name: Run your tests
-      run: dotnet test src/Tests/AliasVault.E2ETests --no-build --verbosity normal
+
+    - name: Start dev database
+      run: ./install.sh configure-dev-db start
+
+    - name: Run integration tests
+      run: dotnet test src/Tests/AliasVault.IntegrationTests --no-build --verbosity normal

.github/workflows/dotnet-unit-tests.yml

@@ -1,7 +1,5 @@
-# This workflow will build a .NET project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
-
-name: .NET build and run tests
+# This workflow will test if running the unit tests works.
+name: .NET Unit Tests
 
 on:
   push:
@@ -10,21 +8,24 @@ on:
     branches: [ "main" ]
 
 jobs:
-  build:
-
+  test:
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v4
+
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 8.0.x
+          dotnet-version: 9.0.x
+
     - name: Install dependencies
       run: dotnet workload install wasm-tools
+
     - name: Restore dependencies
       run: dotnet restore
+
     - name: Build
       run: dotnet build --no-restore
-    - name: Test
+
+    - name: Run unittests
       run: dotnet test src/Tests/AliasVault.UnitTests --no-build --verbosity normal

.github/workflows/publish-docker-images.yml

@@ -0,0 +1,117 @@
+# This workflow will publish new Docker images to the GitHub Container Registry when a new release is published.
+name: Publish Docker Images
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Convert repository name to lowercase
+        run: |
+          echo "REPO_LOWER=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}
+
+      - name: Build and push Postgres image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/Databases/AliasServerDb/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-postgres:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-postgres:${{ github.ref_name }}
+
+      - name: Build and push API image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/AliasVault.Api/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-api:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-api:${{ github.ref_name }}
+
+      - name: Build and push Client image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/AliasVault.Client/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-client:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-client:${{ github.ref_name }}
+
+      - name: Build and push Admin image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/AliasVault.Admin/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-admin:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-admin:${{ github.ref_name }}
+
+      - name: Build and push Reverse Proxy image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-reverse-proxy:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-reverse-proxy:${{ github.ref_name }}
+
+      - name: Build and push SMTP image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/Services/AliasVault.SmtpService/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-smtp:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-smtp:${{ github.ref_name }}
+
+      - name: Build and push TaskRunner image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/Services/AliasVault.TaskRunner/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-task-runner:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-task-runner:${{ github.ref_name }}
+
+      - name: Build and push InstallCli image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: src/Utilities/AliasVault.InstallCli/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-installcli:latest,${{ env.REGISTRY }}/${{ env.REPO_LOWER }}-installcli:${{ github.ref_name }}

.github/workflows/sonarcloud-code-analysis.yml

@@ -1,29 +1,46 @@
+# This workflow will perform a SonarCloud code analysis on every push to the main branch or
+# when a pull request is opened, synchronized, or reopened. The "pull_request_target" event is
+# used to ensure that the analysis is done on the source branch of the pull request which has
+# access to the SonarCloud token secret.
 name: SonarCloud code analysis
 on:
     push:
         branches:
             - main
-    pull_request:
+    pull_request_target:
         types: [opened, synchronize, reopened]
 jobs:
     build:
         name: Build and analyze
         runs-on: windows-latest
         steps:
+            - name: Setup .NET
+              uses: actions/setup-dotnet@v3
+              with:
+                  dotnet-version: '9.0.x'
+
+            - name: Install WASM workload
+              run: dotnet workload install wasm-tools
+
             - name: Set up JDK 17
               uses: actions/setup-java@v3
               with:
                   java-version: 17
-                  distribution: 'zulu' # Alternative distribution options are available.
-            - uses: actions/checkout@v3
+                  distribution: 'zulu'
+
+            - name: Checkout code of PR branch
+              uses: actions/checkout@v3
               with:
-                  fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+                ref: ${{ github.event.pull_request.head.sha }}
+                fetch-depth: 0
+
             - name: Cache SonarCloud packages
               uses: actions/cache@v3
               with:
                   path: ~\sonar\cache
                   key: ${{ runner.os }}-sonar
                   restore-keys: ${{ runner.os }}-sonar
+
             - name: Cache SonarCloud scanner
               id: cache-sonar-scanner
               uses: actions/cache@v3
@@ -31,19 +48,25 @@ jobs:
                   path: .\.sonar\scanner
                   key: ${{ runner.os }}-sonar-scanner
                   restore-keys: ${{ runner.os }}-sonar-scanner
+
             - name: Install SonarCloud scanner
               if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
               shell: powershell
               run: |
                   New-Item -Path .\.sonar\scanner -ItemType Directory
                   dotnet tool update dotnet-sonarscanner --tool-path .\.sonar\scanner
+
             - name: Build and analyze
               env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
               shell: powershell
               run: |
-                  .\.sonar\scanner\dotnet-sonarscanner begin /k:"lanedirt_AliasVault" /o:"lanedirt" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths="**/coverage.opencover.xml" /d:sonar.coverage.exclusions="**Tests*.cs"
+                  if ('${{ github.event_name }}' -eq 'pull_request_target') {
+                      .\.sonar\scanner\dotnet-sonarscanner begin /k:"lanedirt_AliasVault" /o:"lanedirt" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.pullrequest.key=${{ github.event.pull_request.number }} /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths="**/coverage.opencover.xml" /d:sonar.coverage.exclusions="**Tests*.cs"
+                  } else {
+                      .\.sonar\scanner\dotnet-sonarscanner begin /k:"lanedirt_AliasVault" /o:"lanedirt" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths="**/coverage.opencover.xml" /d:sonar.coverage.exclusions="**Tests*.cs"
+                  }
                   dotnet build
                   dotnet test -c Release /p:CollectCoverage=true /p:CoverletOutput=coverage /p:CoverletOutputFormat=opencover --filter 'FullyQualifiedName!~AliasVault.E2ETests'
-                  .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"
+                  .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

.gitignore

@@ -268,9 +268,14 @@ ServiceFabricBackup/
 
 # SQLite files
 *.sqlite
+*.sqlite.*
 *.sqlite-shm
 *.sqlite-wal
 
+# SQL files
+*.sql
+*.sql.gz
+
 # Business Intelligence projects
 *.rdl.data
 *.bim.layout
@@ -371,13 +376,45 @@ FodyWeavers.xsd
 .idea
 *.licenseheader
 
-# AliasVault specific
+# Codebuddy Rider plugin
+.codebuddy
+
+# -------------------
+# AliasVault specifics
+# -------------------
 # index.html is generated by the build process from index.template.html and therefore should be ignored
-src/AliasVault.WebApp/wwwroot/index.html
+src/AliasVault.Client/wwwroot/index.html
+
 # appsettings.Development.json is generated by the build process from appsettings.Development.template.json and therefore should be ignored
-src/AliasVault.WebApp/wwwroot/appsettings.Development.json
+src/AliasVault.Client/wwwroot/appsettings.Development.json
+
 # appsettings.Development.json is added manually if needed, it should not be committed.
 src/Tests/AliasVault.E2ETests/appsettings.Development.json
 
-# .env is generated by init.sh and therefore should be ignored
+# .env is generated by install.sh and therefore should be ignored
 .env
+
+# install.sh backup files are generated by install.sh self-update and therefore should be ignored
+install.sh.backup
+
+# Draw.io diagram temp files
+*.drawio.*
+
+# Certificates
+certificates/**/*.crt
+certificates/**/*.key
+certificates/**/*.pfx
+certificates/**/*.pem
+certificates/letsencrypt/**
+
+# Docs
+docs/_site
+docs/vendor
+docs/.bundle
+
+# Database files
+database/postgres
+database/postgres-dev
+
+# Temp files
+temp

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+contact@support.aliasvault.net.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

CONTRIBUTING.md

@@ -1,88 +1,14 @@
-# Contributing
-This document is a work-in-progress and will be expanded as time goes on. If you have any questions feel free to open a issue on GitHub.
+# Contributing to the source code
+We welcome contributions to AliasVault. Please read the guidelines on the official AliasVault docs website on how to get your local development environment setup and the general contribution guidelines:
 
-Note: all instructions below are based on MacOS. If you are using a different operating system, you may need to adjust the commands accordingly.
+https://docs.aliasvault.net/misc/dev/contributing.html
 
-## Getting Started
-In order to contribute to this project follow these instructions to setup your local environment:
+> Tip: if the URL above is not available, the raw doc pages can also be found in the `docs` folder in this repository.
 
-### 1. Clone the repository
+## Contributing to the documentation
+The docs are built using Jekyll and automatically deploy to GitHub Pages via GitHub Actions. You can build the docs locally by running `docker compose up` in in the `./docs` folder.
 
-```bash
-git clone https://github.com/lanedirt/AliasVault.git
-cd AliasVault
-```
-
-### 2. Copy pre-commit hook script to .git/hooks directory
-**Important**: All commits in this repo are required to contain a reference to a GitHub issue in the format of "your commit message (#123)" where "123" references the GitHub issue number.
-
-The pre-commit hook script below will check the commit message before allowing the commit to proceed. If the commit message is invalid, the commit will be aborted.
-
-```bash
-# Copy the commit-msg hook script to the .git/hooks directory
-cp .github/hooks/commit-msg .git/hooks/commit-msg
-
-# Make the script executable
-chmod +x .git/hooks/commit-msg
-```
-
-### 3. Install the latest version of .NET SDK 8
-
-```bash
-# Install .NET SDK 8
-
-# On MacOS via brew:
-brew install --cask dotnet-sdk
-
-# On Windows via winget
-winget install Microsoft.DotNet.SDK.8
-```
-
-### 4. Install dotnet CLI EF Tools
-
-```bash
-# Install dotnet EF tools globally
-dotnet tool install --global dotnet-ef
-# Include dotnet tools in your PATH
-nano ~/.zshrc
-# Add the following line to your .zshrc file
-export PATH="$PATH:$HOME/.dotnet/tools"
-# Start a new terminal and test that this command works:
-dotnet ef
-```
-
-### 5. Run Tailwind CSS compiler while changing HTML files to update compiled CSS
-
-```bash
-npm run build:css
-```
-
-### 6. Install Playwright in order to locally run NUnit E2E (end-to-end) tests
-
-```bash
-# First install PowerShell for Mac (if you don't have it already)
-brew install powershell/tap/powershell
-# Install Playwright
-dotnet tool install --global Microsoft.Playwright.CLI
-# Run Playwright install script to download local browsers
-# Note: make sure the E2E test project has been built at least once so the bin dir exists.
-pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net8.0/playwright.ps1 install
-```
-
-### 7. Create AliasVault.WebApp appsettings.Development.json
-The WASM app supports a development specific appsettings.json file. This appsettings file is optional but can override various options to make debugging easier.
+The docs site is based on the open-source template called Just The Docs. Find more information about how this template works in the [official docs](https://just-the-docs.github.io/just-the-docs/).
 
 
-1. Copy `wwwroot/appsettings.json` to `wwwroot/appsettings.Development.json`
-
-Here is an example file with the various options explained:
-
-```
-{
-    "ApiUrl": "http://localhost:5092",
-    "UseDebugEncryptionKey": "true"
-}
-```
-
-- UseDebugEncryptionKey
-    - This setting will use a static encryption key so that if you login as a user you can refresh the page without needing to unlock the database again. This speeds up development when changing things in the WebApp WASM project. Note: the project needs to be run in "Development" mode for this setting to be used.
+To make changes to the AliasVault documentation please make a PR that directly edits the `docs` markdown files in this repository.

Dockerfile

@@ -0,0 +1,15 @@
+FROM nginx:alpine
+
+# Install OpenSSL
+RUN apk add --no-cache openssl
+
+# Copy configuration and entrypoint script
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY entrypoint.sh /docker-entrypoint.sh
+
+# Create SSL directory
+RUN mkdir -p /etc/nginx/ssl && chmod 755 /etc/nginx/ssl \
+    && chmod +x /docker-entrypoint.sh
+
+EXPOSE 80 443
+ENTRYPOINT ["/docker-entrypoint.sh"]

ENCRYPTION.md

@@ -1,13 +0,0 @@
-# Encryption
-This document describes the encryption used in AliasVault.
-
-## SRP
-The application uses the Secure Remote Password (SRP) protocol for authentication. The SRP protocol is a password-authenticated key agreement protocol. This means that the client and server can authenticate each other using a password, without sending the password over the network.
-
-With the use of SRP the master password never leaves the client. The client sends a verifier to the server, which is a value derived from the master password. The server uses this verifier to authenticate the client. With this the server can authenticate the client without having ever seen the actual master password.
-
-## Argon2id
-The application uses the Argon2id key derivation function to derive a key from the master password. Argon2id is a memory-hard function, which makes it difficult to perform large-scale custom hardware attacks. This makes it a good choice for password hashing.
-
-## AES
-AES-256 IV is used to encrypt the data. The data is encrypted with a key derived from the master password using Argon2id. The Initialization Vector (IV) is generated randomly for each encryption.

README.md

@@ -1,83 +1,130 @@
 <div align="center">
 
-<h1>AliasVault</h1>
+🌟 **If you find this project useful, please consider giving it a star!** 🌟
 
-[<img src="https://img.shields.io/github/v/release/lanedirt/AliasVault?include_prereleases&logo=github">](https://github.com/lanedirt/OGameX/releases)
+<h1><img src="https://github.com/user-attachments/assets/933c8b45-a190-4df6-913e-b7c64ad9938b" width="40" /> AliasVault</h1>
+
+<p align="center">
+<a href="https://app.aliasvault.net">Try cloud version 🔥</a> • <a href="https://aliasvault.net?utm_source=gh-readme">Website 🌐</a> • <a href="https://docs.aliasvault.net?utm_source=gh-readme">Documentation 📚</a> • <a href="#self-host">Self-host instructions ⚙️</a>
+</p>
+
+<p align="center">
+<strong>Open-source password and (email) alias manager</strong>
+</p>
+
+[<img src="https://img.shields.io/github/v/release/lanedirt/AliasVault?include_prereleases&logo=github">](https://github.com/lanedirt/AliasVault/releases)
 [<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/docker-compose-build.yml?label=docker-compose%20build">](https://github.com/lanedirt/AliasVault/actions/workflows/docker-compose-build.yml)
-[<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/dotnet-build-run-tests.yml?label=unit tests">](https://github.com/lanedirt/AliasVault/actions/workflows/dotnet-build-run-tests.yml)
-[<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/dotnet-integration-tests.yml?label=e2e tests">](https://github.com/lanedirt/AliasVault/actions/workflows/dotnet-integration-tests.yml)
+[<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/dotnet-unit-tests.yml?label=unit tests">](https://github.com/lanedirt/AliasVault/actions/workflows/dotnet-build-run-tests.yml)
+[<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/dotnet-integration-tests.yml?label=integration tests">](https://github.com/lanedirt/AliasVault/actions/workflows/dotnet-build-run-tests.yml)
+[<img src="https://img.shields.io/github/actions/workflow/status/lanedirt/AliasVault/dotnet-e2e-client-tests.yml?label=e2e tests">](https://github.com/lanedirt/AliasVault/actions/workflows/dotnet-e2e-client-tests.yml)
 [<img src="https://img.shields.io/sonar/coverage/lanedirt_AliasVault?server=https%3A%2F%2Fsonarcloud.io&label=test code coverage">](https://sonarcloud.io/summary/new_code?id=lanedirt_AliasVault)
 [<img src="https://img.shields.io/sonar/quality_gate/lanedirt_AliasVault?server=https%3A%2F%2Fsonarcloud.io&label=sonarcloud&logo=sonarcloud">](https://sonarcloud.io/summary/new_code?id=lanedirt_AliasVault)
 </div>
 
-AliasVault is an open-source password and identity manager built with C# ASP.NET technology. AliasVault can be self-hosted on your own server with Docker, providing a secure and private solution for managing your online identities and passwords.
+<div align="center">
+
+[<img alt="Discord" src="https://img.shields.io/discord/1309300619026235422?logo=discord&logoColor=%237289da&label=join%20discord%20chat&color=%237289da">](https://discord.gg/DsaXMTEtpF)
+
+</div>
+
+AliasVault is an end-to-end encrypted password and (email) alias manager that protects your privacy by creating alternative identities, passwords and email addresses for every website you use. The core of AliasVault is built with C# ASP.NET Blazor WASM technology. AliasVault can be self-hosted on your own server with Docker.
 
 ### What makes AliasVault unique:
 - **Zero-knowledge architecture**: All data is end-to-end encrypted on the client and stored in encrypted state on the server. Your master password never leaves your device and the server never has access to your data.
-- **Virtual identities**: Generate virtual identities with virtual (working) email addresses that are assigned to one or more passwords.
+- **Built-in email server**: AliasVault includes its own email server that allows you to generate virtual email addresses for each alias. Emails sent to these addresses are instantly visible in the AliasVault app.
+- **Alias generation**: Generate aliases and assign them to a website, allowing you to use different email addresses and usernames for each website. Keeping your online identities separate and secure, making it harder for bad actors to link your accounts.
 - **Open-source**: The source code is available on GitHub and can be self-hosted on your own server.
 
-> Note: AliasVault is currently in development and not yet ready for production use. The project is still in the early stages and many features are not yet implemented. You are welcome to contribute to the project by submitting pull requests or opening issues.
+> Note: AliasVault is currently in active development and some features may not yet have been (fully) implemented. If you run into any issues, please create an issue on GitHub.
 
-## Live demo
-A live demo of the app is available at [main.aliasvault.net](https://main.aliasvault.net) (nightly builds). You can create a free account to try it out yourself.
+## Official Cloud Version
+The official cloud version of AliasVault is freely available at [app.aliasvault.net](https://app.aliasvault.net). This fully supported platform is always up to date with our latest release. Create an account to protect your privacy today.
 
-<img width="700" alt="Screenshot 2024-07-12 at 14 58 29" src="https://github.com/user-attachments/assets/57103f67-dff0-4124-9b33-62137aab5578">
+[<img width="700" alt="Screenshot of AliasVault" src="docs/assets/img/screenshot.png">](https://app.aliasvault.net)
 
-## Installation on your own machine
-To install AliasVault on your own machine, follow the steps below. Note: the install process is tested on MacOS and Linux. It should work on Windows too, but you might need to adjust some commands.
+## Self-host
 
-### Requirements:
-- Access to a terminal
-- Docker
-- Git
+To self-host and install AliasVault on your own server, the easiest method is to use the provided install script. This will download the pre-built Docker images and start the containers.
 
-### 1. Clone this repository.
+### Install using install script
+
+This method uses pre-built Docker images and works on minimal hardware specifications:
+
+- Linux VM with root access (Ubuntu/AlmaLinux recommended) or Raspberry Pi
+- 1 vCPU
+- 1GB RAM
+- 16GB disk space
+- Docker installed
 
 ```bash
-# Clone this Git repository to "AliasVault" directory
-$ git clone https://github.com/lanedirt/AliasVault.git
+# Download install script from latest stable release
+curl -o install.sh https://raw.githubusercontent.com/lanedirt/AliasVault/0.11.1/install.sh
+
+# Make install script executable and run it. This will create the .env file, pull the Docker images, and start the AliasVault containers.
+chmod +x install.sh
+./install.sh install
 ```
 
-### 2. Run the init script.
-This script will create a .env file in the root directory of the project if it does not yet exist and populate it with a random encryption secret.
-```bash
-# Go to the project directory
-$ cd AliasVault
+The install script will output the URL where the app is available. By default this is:
+- Client: https://localhost
+- Admin portal: https://localhost/admin
 
-# Make init script executable
-$ chmod +x init.sh
+> Note: If you want to change the default AliasVault ports you can do so in the `.env` file.
 
-# Run the init script
-$ ./init.sh
-```
+## Documentation
+For more detailed information about the installation process and other topics, please see the official documentation website:
+- [Documentation website (docs.aliasvault.net) 📚](https://docs.aliasvault.net)
 
-### 3. Build and run the app via Docker:
+Here you can also find step-by-step instructions on how to install AliasVault to e.g. Azure, AWS and other popular cloud providers.
 
-```bash
-# Build and run the app via Docker Compose
-$ docker compose up -d --build --force-recreate
-```
-> Note: the container binds to port 80 by default. If you have another service running on port 80, you can change the port in the `docker-compose.yml` file.
+## Security Architecture
+<a href="https://docs.aliasvault.net/architecture"><img alt="AliasVault Security Architecture Diagram" src="docs/assets/diagrams/security-architecture/aliasvault-security-architecture-thumb.jpg" width="343"></a>
 
-#### Note for first time build:
-- When running the docker compose command for the first time, it may take a few minutes to build the Docker image.
-- A SQLite database file will be created in `./database/AliasServerDb.sqlite`. This file will store all (encrypted) password vaults. It should be kept secure and not shared.
+AliasVault takes security seriously and implements various measures to protect your data:
 
-After the Docker containers have started the app will be available at http://localhost:80
+- All sensitive user data is encrypted end-to-end using industry-standard encryption algorithms. This includes the complete vault contents and all received emails.
+- Your master password never leaves your device.
+- Zero-knowledge architecture ensures the server never has access to your unencrypted data
+
+For detailed information about our encryption implementation and security architecture, see the following documents:
+- [SECURITY.md](SECURITY.md)
+- [Security Architecture Diagram](https://docs.aliasvault.net/architecture)
+
+## Roadmap
+AliasVault is under active development with new features being added regularly. We believe in transparency and want to share our vision for the future of the platform. Here's what we've accomplished and what we're working on next:
+
+- [x] Core password & alias management
+- [x] End-to-end encryption
+- [x] Built-in email server for aliases
+- [x] Single-command Docker-based installation
+- [ ] Add support for connecting custom user domains to cloud hosted version (https://github.com/lanedirt/AliasVault/issues/485)
+- [ ] Add and associate TOTP MFA tokens to credentials (https://github.com/lanedirt/AliasVault/issues/181)
+- [ ] Browser extensions Chrome + Firefox (https://github.com/lanedirt/AliasVault/issues/541)
+- [ ] Import passwords from existing password managers (https://github.com/lanedirt/AliasVault/issues/542)
+
+### Future Plans
+- [ ] Mobile apps (iOS, Android)
+- [ ] Team / organization features (sharing passwords/aliases)
+- [ ] Disposable phone number service
+
+Want to suggest a feature? Join our [Discord](https://discord.gg/DsaXMTEtpF) or create an issue on GitHub.
 
 ## Tech stack / credits
 The following technologies, frameworks and libraries are used in this project:
 
 - [C#](https://docs.microsoft.com/en-us/dotnet/csharp/) - A simple, modern, object-oriented, and type-safe programming language.
-- [ASP.NET Core](https://dotnet.microsoft.com/apps/aspnet) - An open-source framework for building modern, cloud-based, internet-connected applications.
-- [Entity Framework Core](https://docs.microsoft.com/en-us/ef/core/) - A lightweight, extensible, open-source and cross-platform version of the popular Entity Framework data access technology.
+- [ASP.NET Core](https://dotnet.microsoft.com/apps/aspnet) - An open-source framework for building modern multi-platform web applications.
+- [Entity Framework Core](https://docs.microsoft.com/en-us/ef/core/) - Object-relational mapping framework for .NET.
 - [Blazor WASM](https://dotnet.microsoft.com/apps/aspnet/web-apps/blazor) - A framework for building interactive web UIs using C# instead of JavaScript. It's a single-page app framework that runs in the browser via WebAssembly.
-- [Playwright](https://playwright.dev/) - A Node.js library to automate Chromium, Firefox and WebKit with a single API. Used for end-to-end testing.
-- [Docker](https://www.docker.com/) - A platform for building, sharing, and running containerized applications.
-- [SQLite](https://www.sqlite.org/index.html) - A C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine.
+- [PostgreSQL](https://www.postgresql.org/) - An open-source object-relational database system used as the database for the server.
+- [Docker](https://www.docker.com/) - Used for containerizing the server and client apps.
+- [SQLite](https://www.sqlite.org/index.html) - A C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. Used as database engine for the encrypted user's vault.
 - [Tailwind CSS](https://tailwindcss.com/) - A utility-first CSS framework for rapidly building custom designs.
 - [Flowbite](https://flowbite.com/) - A free and open-source UI component library based on Tailwind CSS.
 - [Konscious.Security.Cryptography](https://github.com/kmaragon/Konscious.Security.Cryptography) - A .NET library that implements Argon2id, a memory-hard password hashing algorithm.
-- [SRP.net](https://github.com/secure-remote-password/srp.net) - SRP6a Secure Remote Password protocol for secure password authentication.
-- [SqliteWasmHelper](https://github.com/JeremyLikness/SqliteWasmHelper) - The AliasVault SQLite WASM implementation is loosely based on this library.
+- [SRP.net](https://github.com/secure-remote-password/srp.net) - SRP6a Secure Remote Password protocol for secure password authentication without sending plaintext passwords over the network.
+- [Playwright](https://playwright.dev/) - A Node.js library to automate Chromium, Firefox and WebKit with a single API. Used for end-to-end testing.
+- [SmtpServer](https://github.com/cosullivan/SmtpServer) - A SMTP server library for .NET that is used for the virtual email address feature.
+- [MimeKit](https://github.com/jstedfast/MimeKit) - A .NET MIME creation and parser library used for the virtual email address feature.
+- [StyleCop.Analyzers](https://github.com/DotNetAnalyzers/StyleCopAnalyzers) - Static code analysis tool that enforces style and consistency rules for C# code.
+- [SonarQube Cloud](https://www.sonarqube.org/) - A platform for continuous code quality management.

SECURITY.md

@@ -0,0 +1,95 @@
+# SECURITY.md
+This document describes the encryption algorithms used by AliasVault in order to keep its user data secure.
+
+## Overview
+AliasVault features a [zero-knowledge architecture](https://en.wikipedia.org/wiki/Zero-knowledge_service) and uses a combination of encryption algorithms to protect the data of its users.
+
+The basic premise is that the master password chosen by the user upon registration forms the basis for all encryption
+and decryption operations. This master password is never transmitted over the network and only resides on the client.
+All data is encrypted at rest and in transit. This ensures that even if the AliasVault servers are compromised,
+the user's data remains secure.
+
+## Encryption algorithms
+The following encryption algorithms are used by AliasVault:
+
+- [Argon2id](#argon2id)
+- [SRP](#srp)
+- [AES-GCM](#aes-gcm)
+- [RSA-OAEP](#rsa-oaep)
+
+Below is a detailed explanation of each encryption algorithm.
+
+For more information about how these algorithms are specifically used in AliasVault, see the [Architecture Documentation](https://docs.aliasvault.net/architecture) section on the documentation site.
+
+### Argon2id
+To derive a key from the master password, AliasVault uses the Argon2id key derivation function. Argon2id is a memory-hard
+key derivation function which allows for controlling the execution time, memory required and degree of parallelism.
+This makes it resilient against brute-force attacks and makes it one of the best choices for deriving keys from passwords.
+
+AliasVault uses Argon2id with the following default parameters:
+- Degree of parallelism: 1
+- Memory size: 19456 KB
+- Iterations: 2
+
+More information about Argon2id can be found on the [Argon2](https://en.wikipedia.org/wiki/Argon2) Wikipedia page.
+
+### SRP
+The Secure Remote Password (SRP) protocol is used for authenticating a user with the AliasVault server during login.
+The SRP protocol is a password-authenticated key exchange protocol (PAKE). This means that the client and server can
+authenticate each other using a password, without sending the password itself over the network.
+
+With the use of SRP the master password never leaves the client. The client sends a verifier to the server,
+which is a value derived from the master password. The server uses this verifier to authenticate the client without
+having ever seen the actual master password.
+
+For more information see the [SRP protocol](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) information on Wikipedia.
+
+### AES-256-GCM
+All user's vault data is fully encrypted on the client using the AES-256-GCM encryption algorithm, which stands for
+*Advanced Encryption Standard with 256-bit key in Galois/Counter Mode*. The key for encryption is derived from the
+master password by using the Argon2Id algorithm. AliasVault implements AES-GCM with the following specifications:
+
+- Key Size: 256 bits
+- Uses the Web Crypto API's SubtleCrypto interface for secure cryptographic operations
+- Generates a random 12-byte (96-bit) IV (initialization vector) for each encryption operation
+- Performs all encryption/decryption operations entirely in the browser
+
+#### The encryption process works as follows:
+- A unique IV is generated for each encryption operation
+- The users vault data is encrypted using AES-GCM with the derived key and IV
+- The IV is prepended to the ciphertext
+
+More information about AES-GCM can be found on the [AES-GCM](https://en.wikipedia.org/wiki/Galois/Counter_Mode) Wikipedia page.
+
+### RSA-OAEP
+To secure email communications, AliasVault uses RSA-OAEP (RSA with Optimal Asymmetric Encryption Padding). This asymmetric
+encryption system allows AliasVault to store emails on the server in encrypted state which can only be read by the
+intended recipient. AliasVault implements RSA-OAEP with the following specifications:
+- Algorithm: RSA-OAEP with SHA-256 hash
+- Key Size: 2048-bit modulus
+- Key Format: JWK (JSON Web Key)
+- Padding: OAEP (Optimal Asymmetric Encryption Padding)
+
+#### Email Security Flow
+1. Key Generation: When a user creates a vault, a RSA key pair is generated:
+   - A private key that remains in the encrypted user's vault and is never transmitted
+   - A public key that is sent to the server
+
+2. Email Reception Process: When an email arrives at the AliasVault email server:
+   - The server generates a random 256-bit symmetric encryption key to encrypt the email contents
+   - The symmetric encryption key is encrypted using the recipient's asymmetric public key
+   - The encrypted email contents together with the encrypted symmetric encryption key are stored in the server's database
+   - The original email content is never stored or logged
+
+3. Email Retrieval Process:
+   - When a user accesses their emails, the encrypted content is retrieved from the server
+   - The client-side application decrypts the symmetric encryption key using the user's private key that is stored in their vault
+   - The decrypted symmetric encryption key is used to decrypt the email contents
+   - Decryption occurs entirely in the browser, maintaining end-to-end encryption
+
+This implementation ensures that:
+- Emails are encrypted and secure at rest in the server database
+- Only the intended recipient that holds the private key can decrypt and read their emails
+- Even if the server is compromised, email contents remain encrypted and unreadable
+
+More information about RSA-OAEP can be found on the [RSA-OAEP](https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding) Wikipedia page.

aliasvault.sln

@@ -3,21 +3,17 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.10.34928.147
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasGenerators", "src\AliasGenerators\AliasGenerators.csproj", "{78E84B4E-57D1-491A-8F4E-9879AE49DE0F}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Utilities", "Utilities", "{01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FaviconExtractor", "src\Utilities\FaviconExtractor\FaviconExtractor.csproj", "{ED328644-A152-403D-86EB-81201AA07744}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.FaviconExtractor", "src\Utilities\AliasVault.FaviconExtractor\AliasVault.FaviconExtractor.csproj", "{ED328644-A152-403D-86EB-81201AA07744}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.UnitTests", "src\Tests\AliasVault.UnitTests\AliasVault.UnitTests.csproj", "{8E6A418A-B305-465D-857D-49953605C18E}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Cryptography", "src\Utilities\Cryptography\Cryptography.csproj", "{427EA8E2-EA76-467E-A6BC-201EFE40C0D0}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.Api", "src\AliasVault.Api\AliasVault.Api.csproj", "{B797C533-260E-4DA2-83B1-0EE4BCFE08DB}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.WebApp", "src\AliasVault.WebApp\AliasVault.WebApp.csproj", "{25248E01-5A4B-4F95-A63C-BEA01499A1C2}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.Client", "src\AliasVault.Client\AliasVault.Client.csproj", "{25248E01-5A4B-4F95-A63C-BEA01499A1C2}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.Shared", "src\AliasVault.Shared\AliasVault.Shared.csproj", "{15EFE0D0-F41B-47D7-86B7-8F840335CB82}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.Shared", "src\Shared\AliasVault.Shared\AliasVault.Shared.csproj", "{15EFE0D0-F41B-47D7-86B7-8F840335CB82}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tests", "Tests", "{29DE523D-EEF2-41E9-AC12-F20D8D02BEBB}"
 EndProject
@@ -29,11 +25,51 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasServerDb", "src\Databa
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasClientDb", "src\Databases\AliasClientDb\AliasClientDb.csproj", "{FE10F294-817F-477E-A24F-8597A15AF0B5}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.E2ETests.WebApp.Server", "src\Tests\Server\AliasVault.E2ETests.WebApp.Server\AliasVault.E2ETests.WebApp.Server.csproj", "{DD1F496F-CF10-47D1-A57F-5FA256479332}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.E2ETests.Client.Server", "src\Tests\Server\AliasVault.E2ETests.Client.Server\AliasVault.E2ETests.Client.Server.csproj", "{DD1F496F-CF10-47D1-A57F-5FA256479332}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Server", "Server", "{607945F3-9896-4544-99EC-F3496CF4D36B}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CsvImportExport", "src\Utilities\CsvImportExport\CsvImportExport.csproj", "{A9C9A606-C87E-4298-AB32-09B1884D7487}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AliasVault.CsvImportExport", "src\Utilities\AliasVault.CsvImportExport\AliasVault.CsvImportExport.csproj", "{A9C9A606-C87E-4298-AB32-09B1884D7487}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Services", "Services", "{8A477241-B96C-4174-968D-D40CB77F1ECD}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.SmtpService", "src\Services\AliasVault.SmtpService\AliasVault.SmtpService.csproj", "{B095A174-E528-4D38-BEC1-D1D38B3B30C0}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.IntegrationTests", "src\Tests\AliasVault.IntegrationTests\AliasVault.IntegrationTests.csproj", "{1C7C8DE9-5F2A-43DB-A25E-33319E80A509}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Admin", "src\AliasVault.Admin\AliasVault.Admin.csproj", "{F2CAE93E-94A7-4365-8E84-8D48CE8DD53F}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.InstallCli", "src\Utilities\AliasVault.InstallCli\AliasVault.InstallCli.csproj", "{857BCD0E-753F-437A-AF75-B995B4D9A5FE}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Logging", "src\Utilities\AliasVault.Logging\AliasVault.Logging.csproj", "{FF0B0E64-1AE2-415C-A404-0EB78010821A}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.RazorComponents", "src\Shared\AliasVault.RazorComponents\AliasVault.RazorComponents.csproj", "{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.WorkerStatus", "src\Utilities\AliasVault.WorkerStatus\AliasVault.WorkerStatus.csproj", "{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.TotpGenerator", "src\Utilities\AliasVault.TotpGenerator\AliasVault.TotpGenerator.csproj", "{E8D9C551-67D2-4651-8EDF-4262DF7375CE}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Auth", "src\Utilities\AliasVault.Auth\AliasVault.Auth.csproj", "{DA175274-0FF7-4436-9266-742F96C2D1ED}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Cryptography", "Cryptography", "{BB7E701E-B1C6-453E-800A-E12CE256318D}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Cryptography.Server", "src\Utilities\Cryptography\AliasVault.Cryptography.Server\AliasVault.Cryptography.Server.csproj", "{341EC443-0B6B-4E8C-AF46-D6156573CEA5}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Cryptography.Client", "src\Utilities\Cryptography\AliasVault.Cryptography.Client\AliasVault.Cryptography.Client.csproj", "{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Generators", "Generators", "{03D55CA4-20B3-4FEA-9ADD-3C7B5B10E0FE}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Generators.Password", "src\Generators\AliasVault.Generators.Password\AliasVault.Generators.Password.csproj", "{47F47A1B-49E0-406A-81C8-31FF2E4C339B}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Generators.Identity", "src\Generators\AliasVault.Generators.Identity\AliasVault.Generators.Identity.csproj", "{80E74FBC-4EC8-45FB-B210-473337C484B5}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Shared", "Shared", "{DD359F0A-0180-4F8F-9E48-46213386BA4D}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Shared.Core", "src\Shared\AliasVault.Shared.Core\AliasVault.Shared.Core.csproj", "{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.TaskRunner", "src\Services\AliasVault.TaskRunner\AliasVault.TaskRunner.csproj", "{D631A936-DD1C-40CC-B735-BD0A5D4F46A1}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AliasVault.Shared.Server", "src\Shared\AliasVault.Shared.Server\AliasVault.Shared.Server.csproj", "{34FADEB6-4B56-463B-B359-F844B43D76D9}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -41,10 +77,6 @@ Global
 		Release|Any CPU = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{78E84B4E-57D1-491A-8F4E-9879AE49DE0F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{78E84B4E-57D1-491A-8F4E-9879AE49DE0F}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{78E84B4E-57D1-491A-8F4E-9879AE49DE0F}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{78E84B4E-57D1-491A-8F4E-9879AE49DE0F}.Release|Any CPU.Build.0 = Release|Any CPU
 		{ED328644-A152-403D-86EB-81201AA07744}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{ED328644-A152-403D-86EB-81201AA07744}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{ED328644-A152-403D-86EB-81201AA07744}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -53,10 +85,6 @@ Global
 		{8E6A418A-B305-465D-857D-49953605C18E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{8E6A418A-B305-465D-857D-49953605C18E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8E6A418A-B305-465D-857D-49953605C18E}.Release|Any CPU.Build.0 = Release|Any CPU
-		{427EA8E2-EA76-467E-A6BC-201EFE40C0D0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{427EA8E2-EA76-467E-A6BC-201EFE40C0D0}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{427EA8E2-EA76-467E-A6BC-201EFE40C0D0}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{427EA8E2-EA76-467E-A6BC-201EFE40C0D0}.Release|Any CPU.Build.0 = Release|Any CPU
 		{B797C533-260E-4DA2-83B1-0EE4BCFE08DB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{B797C533-260E-4DA2-83B1-0EE4BCFE08DB}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{B797C533-260E-4DA2-83B1-0EE4BCFE08DB}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -89,6 +117,70 @@ Global
 		{A9C9A606-C87E-4298-AB32-09B1884D7487}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{A9C9A606-C87E-4298-AB32-09B1884D7487}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{A9C9A606-C87E-4298-AB32-09B1884D7487}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B095A174-E528-4D38-BEC1-D1D38B3B30C0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B095A174-E528-4D38-BEC1-D1D38B3B30C0}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B095A174-E528-4D38-BEC1-D1D38B3B30C0}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B095A174-E528-4D38-BEC1-D1D38B3B30C0}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1C7C8DE9-5F2A-43DB-A25E-33319E80A509}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1C7C8DE9-5F2A-43DB-A25E-33319E80A509}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1C7C8DE9-5F2A-43DB-A25E-33319E80A509}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1C7C8DE9-5F2A-43DB-A25E-33319E80A509}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F2CAE93E-94A7-4365-8E84-8D48CE8DD53F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F2CAE93E-94A7-4365-8E84-8D48CE8DD53F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F2CAE93E-94A7-4365-8E84-8D48CE8DD53F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F2CAE93E-94A7-4365-8E84-8D48CE8DD53F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{857BCD0E-753F-437A-AF75-B995B4D9A5FE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{857BCD0E-753F-437A-AF75-B995B4D9A5FE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{857BCD0E-753F-437A-AF75-B995B4D9A5FE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{857BCD0E-753F-437A-AF75-B995B4D9A5FE}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FF0B0E64-1AE2-415C-A404-0EB78010821A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FF0B0E64-1AE2-415C-A404-0EB78010821A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FF0B0E64-1AE2-415C-A404-0EB78010821A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FF0B0E64-1AE2-415C-A404-0EB78010821A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC}.Release|Any CPU.Build.0 = Release|Any CPU
+		{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E8D9C551-67D2-4651-8EDF-4262DF7375CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E8D9C551-67D2-4651-8EDF-4262DF7375CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E8D9C551-67D2-4651-8EDF-4262DF7375CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E8D9C551-67D2-4651-8EDF-4262DF7375CE}.Release|Any CPU.Build.0 = Release|Any CPU
+		{DA175274-0FF7-4436-9266-742F96C2D1ED}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{DA175274-0FF7-4436-9266-742F96C2D1ED}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{DA175274-0FF7-4436-9266-742F96C2D1ED}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{DA175274-0FF7-4436-9266-742F96C2D1ED}.Release|Any CPU.Build.0 = Release|Any CPU
+		{341EC443-0B6B-4E8C-AF46-D6156573CEA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{341EC443-0B6B-4E8C-AF46-D6156573CEA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{341EC443-0B6B-4E8C-AF46-D6156573CEA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{341EC443-0B6B-4E8C-AF46-D6156573CEA5}.Release|Any CPU.Build.0 = Release|Any CPU
+		{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{47F47A1B-49E0-406A-81C8-31FF2E4C339B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{47F47A1B-49E0-406A-81C8-31FF2E4C339B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{47F47A1B-49E0-406A-81C8-31FF2E4C339B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{47F47A1B-49E0-406A-81C8-31FF2E4C339B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{80E74FBC-4EC8-45FB-B210-473337C484B5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{80E74FBC-4EC8-45FB-B210-473337C484B5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{80E74FBC-4EC8-45FB-B210-473337C484B5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{80E74FBC-4EC8-45FB-B210-473337C484B5}.Release|Any CPU.Build.0 = Release|Any CPU
+		{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D631A936-DD1C-40CC-B735-BD0A5D4F46A1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D631A936-DD1C-40CC-B735-BD0A5D4F46A1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D631A936-DD1C-40CC-B735-BD0A5D4F46A1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D631A936-DD1C-40CC-B735-BD0A5D4F46A1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{34FADEB6-4B56-463B-B359-F844B43D76D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{34FADEB6-4B56-463B-B359-F844B43D76D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{34FADEB6-4B56-463B-B359-F844B43D76D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{34FADEB6-4B56-463B-B359-F844B43D76D9}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -96,13 +188,29 @@ Global
 	GlobalSection(NestedProjects) = preSolution
 		{ED328644-A152-403D-86EB-81201AA07744} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
 		{8E6A418A-B305-465D-857D-49953605C18E} = {29DE523D-EEF2-41E9-AC12-F20D8D02BEBB}
-		{427EA8E2-EA76-467E-A6BC-201EFE40C0D0} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
 		{AF013D08-1BF6-4E23-87D2-37F614BE7952} = {29DE523D-EEF2-41E9-AC12-F20D8D02BEBB}
 		{1277105D-50CD-4CE0-9C2C-549F46867E54} = {5F7417F6-4388-49CC-9511-ED63C4A6488A}
 		{FE10F294-817F-477E-A24F-8597A15AF0B5} = {5F7417F6-4388-49CC-9511-ED63C4A6488A}
 		{DD1F496F-CF10-47D1-A57F-5FA256479332} = {607945F3-9896-4544-99EC-F3496CF4D36B}
 		{607945F3-9896-4544-99EC-F3496CF4D36B} = {29DE523D-EEF2-41E9-AC12-F20D8D02BEBB}
 		{A9C9A606-C87E-4298-AB32-09B1884D7487} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{B095A174-E528-4D38-BEC1-D1D38B3B30C0} = {8A477241-B96C-4174-968D-D40CB77F1ECD}
+		{1C7C8DE9-5F2A-43DB-A25E-33319E80A509} = {29DE523D-EEF2-41E9-AC12-F20D8D02BEBB}
+		{857BCD0E-753F-437A-AF75-B995B4D9A5FE} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{FF0B0E64-1AE2-415C-A404-0EB78010821A} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{951C3DF8-DF22-4B2B-839F-FBA26DDD8ABD} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{E8D9C551-67D2-4651-8EDF-4262DF7375CE} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{DA175274-0FF7-4436-9266-742F96C2D1ED} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{BB7E701E-B1C6-453E-800A-E12CE256318D} = {01AB9389-2F89-4F8E-A688-BF4BF1FC42C8}
+		{341EC443-0B6B-4E8C-AF46-D6156573CEA5} = {BB7E701E-B1C6-453E-800A-E12CE256318D}
+		{542C7B7D-C2B4-4AE3-9B2C-C62FCF4DFF8E} = {BB7E701E-B1C6-453E-800A-E12CE256318D}
+		{47F47A1B-49E0-406A-81C8-31FF2E4C339B} = {03D55CA4-20B3-4FEA-9ADD-3C7B5B10E0FE}
+		{80E74FBC-4EC8-45FB-B210-473337C484B5} = {03D55CA4-20B3-4FEA-9ADD-3C7B5B10E0FE}
+		{59642CEF-D90A-4A6B-AD3F-9C6300D1E3FC} = {DD359F0A-0180-4F8F-9E48-46213386BA4D}
+		{15EFE0D0-F41B-47D7-86B7-8F840335CB82} = {DD359F0A-0180-4F8F-9E48-46213386BA4D}
+		{40CA41BF-9E67-4D0A-A3F8-38B94992E4CA} = {DD359F0A-0180-4F8F-9E48-46213386BA4D}
+		{D631A936-DD1C-40CC-B735-BD0A5D4F46A1} = {8A477241-B96C-4174-968D-D40CB77F1ECD}
+		{34FADEB6-4B56-463B-B359-F844B43D76D9} = {DD359F0A-0180-4F8F-9E48-46213386BA4D}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {FEE82475-C009-4762-8113-A6563D9DC49E}

certificates/README.md

@@ -0,0 +1,6 @@
+# Certificates directory structure
+
+This directory contains certificates for AliasVault.
+
+- `app`: Certificates that AliasVault uses to protect application data at rest (e.g. .NET DataProtection keys)
+- `ssl`: SSL/TLS certificates for AliasVault hosted services

certificates/ssl/README.md

@@ -0,0 +1,7 @@
+# SSL certificates directory structure
+
+This directory contains SSL/TLS certificates for various AliasVault services:
+
+- `admin`: Certificate for the Admin UI.
+- `api`: Certificate for the API service.
+- `client`: Certificate for the Client UI.

docker-compose.build.yml

@@ -0,0 +1,42 @@
+services:
+    postgres:
+        image: aliasvault-postgres
+        build:
+            context: .
+            dockerfile: src/Databases/AliasServerDb/Dockerfile
+
+    client:
+        image: aliasvault-client
+        build:
+            context: .
+            dockerfile: src/AliasVault.Client/Dockerfile
+
+    api:
+        image: aliasvault-api
+        build:
+            context: .
+            dockerfile: src/AliasVault.Api/Dockerfile
+
+    admin:
+        image: aliasvault-admin
+        build:
+            context: .
+            dockerfile: src/AliasVault.Admin/Dockerfile
+
+    reverse-proxy:
+        image: aliasvault-reverse-proxy
+        build:
+            context: .
+            dockerfile: Dockerfile
+
+    smtp:
+        image: aliasvault-smtp
+        build:
+            context: .
+            dockerfile: src/Services/AliasVault.SmtpService/Dockerfile
+
+    task-runner:
+        image: aliasvault-task-runner
+        build:
+            context: .
+            dockerfile: src/Services/AliasVault.TaskRunner/Dockerfile

docker-compose.dev.yml

@@ -0,0 +1,20 @@
+services:
+  postgres-dev:
+    image: postgres:16-alpine
+    ports:
+      - "5433:5432"
+    volumes:
+      - ./database/postgres-dev:/var/lib/postgresql/data:rw
+      - ./src/Databases/AliasServerDb/postgresql.conf:/etc/postgresql/postgresql.conf
+    environment:
+      - POSTGRES_DB=aliasvault
+      - POSTGRES_USER=aliasvault
+      - POSTGRES_PASSWORD=password
+    restart: "no"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U aliasvault"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+    command: ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

docker-compose.letsencrypt.yml

@@ -0,0 +1,7 @@
+services:
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./certificates/letsencrypt:/etc/letsencrypt:rw
+      - ./certificates/letsencrypt/www:/var/www/certbot:rw
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

docker-compose.yml

@@ -1,24 +1,107 @@
 services:
-    wasm:
-        image: aliasvault
-        build:
-            context: .
-            dockerfile: src/AliasVault.WebApp/Dockerfile
-        ports:
-            - "80:8080"
-        restart: always
-        environment:
-            - API_URL=http://localhost:81
-
-    api:
-        image: aliasvault-api
-        build:
-            context: .
-            dockerfile: src/AliasVault.Api/Dockerfile
-        ports:
-            - "81:8081"
+    postgres:
+        image: ghcr.io/lanedirt/aliasvault-postgres:latest
         volumes:
-            - ./database:/database
+            - ./database/postgres:/var/lib/postgresql/data:rw
         env_file:
             - .env
         restart: always
+        healthcheck:
+            test: ["CMD-SHELL", "pg_isready -U aliasvault"]
+            interval: 5s
+            timeout: 5s
+            retries: 5
+            start_period: 10s
+
+    client:
+        image: ghcr.io/lanedirt/aliasvault-client:latest
+        volumes:
+            - ./logs/msbuild:/src/msbuild-logs:rw
+        expose:
+            - "3000"
+        restart: always
+        env_file:
+            - .env
+
+    api:
+        image: ghcr.io/lanedirt/aliasvault-api:latest
+        expose:
+            - "3001"
+        volumes:
+            - ./database:/database:rw
+            - ./certificates/app:/certificates/app:rw
+            - ./logs:/logs:rw
+        restart: always
+        env_file:
+            - .env
+        depends_on:
+            postgres:
+                condition: service_healthy
+        environment:
+            ConnectionStrings__AliasServerDbContext: "Host=postgres;Database=aliasvault;Username=aliasvault;Password=${POSTGRES_PASSWORD}"
+
+    admin:
+        image: ghcr.io/lanedirt/aliasvault-admin:latest
+        expose:
+            - "3002"
+        volumes:
+            - ./database:/database:rw
+            - ./certificates/app:/certificates/app:rw
+            - ./logs:/logs:rw
+        restart: always
+        env_file:
+            - .env
+        depends_on:
+            postgres:
+                condition: service_healthy
+        environment:
+            ConnectionStrings__AliasServerDbContext: "Host=postgres;Database=aliasvault;Username=aliasvault;Password=${POSTGRES_PASSWORD}"
+
+    reverse-proxy:
+        image: ghcr.io/lanedirt/aliasvault-reverse-proxy:latest
+        ports:
+            - "${HTTP_PORT:-80}:80"
+            - "${HTTPS_PORT:-443}:443"
+        volumes:
+            - ./certificates/ssl:/etc/nginx/ssl:rw
+            - ./certificates/letsencrypt:/etc/nginx/ssl-letsencrypt:rw
+            - ./certificates/letsencrypt/www:/var/www/certbot:rw
+        depends_on:
+            - admin
+            - client
+            - api
+            - smtp
+        restart: always
+        env_file:
+            - .env
+
+    smtp:
+        image: ghcr.io/lanedirt/aliasvault-smtp:latest
+        ports:
+            - "${SMTP_PORT:-25}:25"
+            - "${SMTP_TLS_PORT:-587}:587"
+        volumes:
+            - ./database:/database:rw
+            - ./logs:/logs:rw
+        restart: always
+        env_file:
+            - .env
+        depends_on:
+            postgres:
+                condition: service_healthy
+        environment:
+            ConnectionStrings__AliasServerDbContext: "Host=postgres;Database=aliasvault;Username=aliasvault;Password=${POSTGRES_PASSWORD}"
+
+    task-runner:
+        image: ghcr.io/lanedirt/aliasvault-task-runner:latest
+        volumes:
+            - ./database:/database:rw
+            - ./logs:/logs:rw
+        restart: always
+        env_file:
+            - .env
+        depends_on:
+            postgres:
+                condition: service_healthy
+        environment:
+            ConnectionStrings__AliasServerDbContext: "Host=postgres;Database=aliasvault;Username=aliasvault;Password=${POSTGRES_PASSWORD}"

docs/.gitignore

@@ -0,0 +1 @@
+!release

docs/CNAME

@@ -0,0 +1 @@
+docs.aliasvault.net

docs/Dockerfile

@@ -0,0 +1,8 @@
+FROM jekyll/jekyll:4.2.2
+
+WORKDIR /srv/jekyll
+COPY . .
+RUN chown -R jekyll:jekyll /srv/jekyll
+
+# Install the theme and dependencies
+RUN bundle install

docs/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# gem "jekyll", "~> 4.3.2"
+gem "just-the-docs"
+
+# If you want to use GitHub Pages, remove the "gem "jekyll"" above and
+# uncomment the line below. To upgrade, run `bundle update github-pages`.
+gem "github-pages", group: :jekyll_plugins

docs/Gemfile.lock

@@ -0,0 +1,286 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (7.2.2)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    base64 (0.2.0)
+    benchmark (0.4.0)
+    bigdecimal (3.1.8)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.12.2)
+    colorator (1.1.0)
+    commonmarker (0.23.11)
+    concurrent-ruby (1.3.4)
+    connection_pool (2.4.1)
+    csv (3.3.0)
+    dnsruby (1.72.3)
+      base64 (~> 0.2.0)
+      simpleidn (~> 0.2.1)
+    drb (2.2.1)
+    em-websocket (0.5.3)
+      eventmachine (>= 0.12.9)
+      http_parser.rb (~> 0)
+    ethon (0.16.0)
+      ffi (>= 1.15.0)
+    eventmachine (1.2.7)
+    execjs (2.10.0)
+    faraday (2.12.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
+    ffi (1.17.0-x86_64-linux-musl)
+    forwardable-extended (2.6.0)
+    gemoji (4.1.0)
+    github-pages (232)
+      github-pages-health-check (= 1.18.2)
+      jekyll (= 3.10.0)
+      jekyll-avatar (= 0.8.0)
+      jekyll-coffeescript (= 1.2.2)
+      jekyll-commonmark-ghpages (= 0.5.1)
+      jekyll-default-layout (= 0.1.5)
+      jekyll-feed (= 0.17.0)
+      jekyll-gist (= 1.5.0)
+      jekyll-github-metadata (= 2.16.1)
+      jekyll-include-cache (= 0.2.1)
+      jekyll-mentions (= 1.6.0)
+      jekyll-optional-front-matter (= 0.3.2)
+      jekyll-paginate (= 1.1.0)
+      jekyll-readme-index (= 0.3.0)
+      jekyll-redirect-from (= 0.16.0)
+      jekyll-relative-links (= 0.6.1)
+      jekyll-remote-theme (= 0.4.3)
+      jekyll-sass-converter (= 1.5.2)
+      jekyll-seo-tag (= 2.8.0)
+      jekyll-sitemap (= 1.4.0)
+      jekyll-swiss (= 1.0.0)
+      jekyll-theme-architect (= 0.2.0)
+      jekyll-theme-cayman (= 0.2.0)
+      jekyll-theme-dinky (= 0.2.0)
+      jekyll-theme-hacker (= 0.2.0)
+      jekyll-theme-leap-day (= 0.2.0)
+      jekyll-theme-merlot (= 0.2.0)
+      jekyll-theme-midnight (= 0.2.0)
+      jekyll-theme-minimal (= 0.2.0)
+      jekyll-theme-modernist (= 0.2.0)
+      jekyll-theme-primer (= 0.6.0)
+      jekyll-theme-slate (= 0.2.0)
+      jekyll-theme-tactile (= 0.2.0)
+      jekyll-theme-time-machine (= 0.2.0)
+      jekyll-titles-from-headings (= 0.5.3)
+      jemoji (= 0.13.0)
+      kramdown (= 2.4.0)
+      kramdown-parser-gfm (= 1.1.0)
+      liquid (= 4.0.4)
+      mercenary (~> 0.3)
+      minima (= 2.5.1)
+      nokogiri (>= 1.16.2, < 2.0)
+      rouge (= 3.30.0)
+      terminal-table (~> 1.4)
+      webrick (~> 1.8)
+    github-pages-health-check (1.18.2)
+      addressable (~> 2.3)
+      dnsruby (~> 1.60)
+      octokit (>= 4, < 8)
+      public_suffix (>= 3.0, < 6.0)
+      typhoeus (~> 1.3)
+    html-pipeline (2.14.3)
+      activesupport (>= 2)
+      nokogiri (>= 1.4)
+    http_parser.rb (0.8.0)
+    i18n (1.14.6)
+      concurrent-ruby (~> 1.0)
+    jekyll (3.10.0)
+      addressable (~> 2.4)
+      colorator (~> 1.0)
+      csv (~> 3.0)
+      em-websocket (~> 0.5)
+      i18n (>= 0.7, < 2)
+      jekyll-sass-converter (~> 1.0)
+      jekyll-watch (~> 2.0)
+      kramdown (>= 1.17, < 3)
+      liquid (~> 4.0)
+      mercenary (~> 0.3.3)
+      pathutil (~> 0.9)
+      rouge (>= 1.7, < 4)
+      safe_yaml (~> 1.0)
+      webrick (>= 1.0)
+    jekyll-avatar (0.8.0)
+      jekyll (>= 3.0, < 5.0)
+    jekyll-coffeescript (1.2.2)
+      coffee-script (~> 2.2)
+      coffee-script-source (~> 1.12)
+    jekyll-commonmark (1.4.0)
+      commonmarker (~> 0.22)
+    jekyll-commonmark-ghpages (0.5.1)
+      commonmarker (>= 0.23.7, < 1.1.0)
+      jekyll (>= 3.9, < 4.0)
+      jekyll-commonmark (~> 1.4.0)
+      rouge (>= 2.0, < 5.0)
+    jekyll-default-layout (0.1.5)
+      jekyll (>= 3.0, < 5.0)
+    jekyll-feed (0.17.0)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-gist (1.5.0)
+      octokit (~> 4.2)
+    jekyll-github-metadata (2.16.1)
+      jekyll (>= 3.4, < 5.0)
+      octokit (>= 4, < 7, != 4.4.0)
+    jekyll-include-cache (0.2.1)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-mentions (1.6.0)
+      html-pipeline (~> 2.3)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-optional-front-matter (0.3.2)
+      jekyll (>= 3.0, < 5.0)
+    jekyll-paginate (1.1.0)
+    jekyll-readme-index (0.3.0)
+      jekyll (>= 3.0, < 5.0)
+    jekyll-redirect-from (0.16.0)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-relative-links (0.6.1)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-remote-theme (0.4.3)
+      addressable (~> 2.0)
+      jekyll (>= 3.5, < 5.0)
+      jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
+      rubyzip (>= 1.3.0, < 3.0)
+    jekyll-sass-converter (1.5.2)
+      sass (~> 3.4)
+    jekyll-seo-tag (2.8.0)
+      jekyll (>= 3.8, < 5.0)
+    jekyll-sitemap (1.4.0)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-swiss (1.0.0)
+    jekyll-theme-architect (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-cayman (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-dinky (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-hacker (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-leap-day (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-merlot (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-midnight (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-minimal (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-modernist (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-primer (0.6.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-github-metadata (~> 2.9)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-slate (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-tactile (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-theme-time-machine (0.2.0)
+      jekyll (> 3.5, < 5.0)
+      jekyll-seo-tag (~> 2.0)
+    jekyll-titles-from-headings (0.5.3)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-watch (2.2.1)
+      listen (~> 3.0)
+    jemoji (0.13.0)
+      gemoji (>= 3, < 5)
+      html-pipeline (~> 2.2)
+      jekyll (>= 3.0, < 5.0)
+    json (2.8.2)
+    just-the-docs (0.10.0)
+      jekyll (>= 3.8.5)
+      jekyll-include-cache
+      jekyll-seo-tag (>= 2.0)
+      rake (>= 12.3.1)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    liquid (4.0.4)
+    listen (3.9.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    logger (1.6.1)
+    mercenary (0.3.6)
+    minima (2.5.1)
+      jekyll (>= 3.5, < 5.0)
+      jekyll-feed (~> 0.9)
+      jekyll-seo-tag (~> 2.1)
+    minitest (5.25.1)
+    net-http (0.5.0)
+      uri
+    nokogiri (1.16.7-x86_64-linux)
+      racc (~> 1.4)
+    octokit (4.25.1)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
+    pathutil (0.16.2)
+      forwardable-extended (~> 2.6)
+    public_suffix (5.1.1)
+    racc (1.8.1)
+    rake (13.2.1)
+    rb-fsevent (0.11.2)
+    rb-inotify (0.11.1)
+      ffi (~> 1.0)
+    rexml (3.3.9)
+    rouge (3.30.0)
+    rubyzip (2.3.2)
+    safe_yaml (1.0.5)
+    sass (3.7.4)
+      sass-listen (~> 4.0.0)
+    sass-listen (4.0.0)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+    sawyer (0.9.2)
+      addressable (>= 2.3.5)
+      faraday (>= 0.17.3, < 3)
+    securerandom (0.3.2)
+    simpleidn (0.2.3)
+    terminal-table (1.8.0)
+      unicode-display_width (~> 1.1, >= 1.1.1)
+    typhoeus (1.4.1)
+      ethon (>= 0.9.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (1.8.0)
+    uri (1.0.2)
+    webrick (1.9.0)
+
+PLATFORMS
+  x86_64-linux-musl
+
+DEPENDENCIES
+  github-pages
+  just-the-docs
+
+BUNDLED WITH
+   2.3.25

docs/README.md

@@ -1,5 +0,0 @@
-# Documentation
-This is the documentation for the AliasVault project.
-
-## Description
-TODO: Work in progress.

docs/_config.yml

@@ -0,0 +1,40 @@
+remote_theme: just-the-docs/just-the-docs
+title: AliasVault
+description: Documentation for the AliasVault password manager
+
+logo: "/assets/img/logo.svg"
+favicon_ico: "/assets/img/favicon.png"
+
+# Navigation settings
+aux_links:
+  "AliasVault on GitHub":
+    - "https://github.com/lanedirt/AliasVault"
+  "AliasVault Website":
+    - "https://aliasvault.net"
+aux_links_new_tab: true
+
+# Search settings
+search_enabled: true
+heading_anchors: true
+
+# Theme settings
+color_scheme: aliasvault
+
+# Enable copy code button
+enable_copy_code_button: true
+
+# Footer "Edit this page on GitHub" link text
+gh_edit_link: true # show or hide edit this page link
+gh_edit_link_text: "Edit this page on GitHub."
+gh_edit_repository: "https://github.com/lanedirt/AliasVault" # the github URL for your repo
+gh_edit_branch: "main" # the branch that your docs is served from
+gh_edit_source: docs # the source that your files originate from
+gh_edit_view_mode: "tree" # "tree" or "edit" if you want the user to jump into the editor immediately
+
+callouts:
+  warning:
+    title: Warning
+    color: red
+  note:
+    title: Note
+    color: purple

docs/_includes/nav_footer_custom.html

@@ -0,0 +1 @@
+ 

docs/_sass/color_schemes/aliasvault.scss

@@ -0,0 +1,42 @@
+@import "./color_schemes/dark";
+
+// Base theme colors
+$link-color: #f49541;
+$btn-primary-color: #d68338;
+
+// Main colors
+$body-background-color: #1f2937;
+$sidebar-color: #111827;
+$border-color: #374151;
+$body-text-color: #f8f9fa;
+
+// Navigation
+$nav-child-link-color: #fdde85;
+$search-result-preview-color: #e9ecef;
+
+// Content elements
+$feedback-color: #2d3748;
+$table-background-color: #374151;
+$search-background-color: #374151;
+
+// Code blocks
+$code-background-color: #2d3748;
+$code-linenumber-color: #9ca3af;
+
+// Tables
+$table-border-color: #4b5563;
+
+// Search
+$search-result-preview-color: #d1d5db;
+
+// Buttons
+$btn-primary-color-dark: #d68338;
+
+// Base Colors (kept for compatibility)
+$purple-000: #f8b963;
+$purple-100: #ffd5a8;
+$purple-200: #f49541;
+$purple-300: #d68338;
+
+// Navigation additional
+$nav-button-color: #f49541;

docs/architecture/index.md

@@ -0,0 +1,82 @@
+---
+layout: default
+title: Architecture
+has_children: true
+nav_order: 3
+---
+
+# Architecture
+
+AliasVault implements a zero-knowledge architecture where sensitive user data and passwords never leave the client device in unencrypted form. Below is a detailed explanation of how the system secures user data and communications.
+
+## Diagram
+The security architecture diagram below illustrates all encryption and authentication processes used in AliasVault to secure user data and communications.
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="../assets/diagrams/security-architecture/aliasvault-security-architecture-dark.svg">
+  <source media="(prefers-color-scheme: light)" srcset="../assets/diagrams/security-architecture/aliasvault-security-architecture-light.svg">
+  <img alt="AliasVault Security Architecture Diagram" src="../assets/diagrams/security-architecture/aliasvault-security-architecture-light.svg">
+</picture>
+
+You can also view the diagram in a browser-friendly HTML format: [AliasVault Security Architecture](https://lanedirt.github.io/AliasVault/assets/diagrams/security-architecture/aliasvault-security-architecture.html)
+
+## Key Components and Process Flow
+
+### 1. Key Derivation
+- When a user enters their master password, it remains strictly on the client device
+- The master password is processed through Argon2id (a memory-hard key derivation function) locally
+- The derived key serves two purposes:
+    - Authentication with the server through the SRP protocol
+    - Local encryption/decryption of vault contents using AES-256-GCM
+
+### 2. Authentication Process
+1. SRP (Secure Remote Password) Authentication
+    - Enables secure password-based authentication without transmitting the password
+    - Client and server perform a cryptographic handshake to verify identity
+
+2. Two-Factor Authentication (Optional)
+    - If enabled, requires an additional verification step after successful SRP authentication
+    - Uses Time-based One-Time Password (TOTP) protocol
+    - Compatible with standard authenticator apps (e.g., Google Authenticator)
+    - Server only issues the final JWT access token after successful 2FA verification
+
+### 3. Vault Operations
+- All vault contents are encrypted/decrypted locally using AES-256-GCM
+- The encryption key is derived from the user's master password
+- Only encrypted data is ever transmitted to or stored on the server
+- The server never has access to the unencrypted vault contents
+
+### 4. Email System Security
+
+#### Key Generation and Storage
+1. RSA key pair is generated locally on the client
+2. Private key is stored in the encrypted vault
+3. Public key is sent to the server and associated with email claim(s)
+
+#### Email Reception Process
+1. When an email is received, the server:
+    - Verifies if the recipient has a valid email claim
+    - If no valid claim exists, the email is rejected
+    - If valid, generates a random 256-bit symmetric key
+    - Encrypts the email content using this symmetric key
+    - Encrypts the symmetric key using the recipient's public key
+    - Stores both the encrypted email and encrypted symmetric key
+
+#### Email Retrieval Process
+1. Client retrieves encrypted email and encrypted symmetric key from server
+2. Client uses private key from vault to decrypt the symmetric key
+3. Client uses decrypted symmetric key to decrypt the email contents
+4. All decryption occurs locally on the client device
+
+> Note: The use of a symmetric key for email content encryption and asymmetric encryption for the symmetric key (hybrid encryption) is implemented due to RSA's limitations on encryption string length and for better performance.
+
+## Security Benefits
+- Zero-knowledge architecture ensures user data privacy
+- Master password never leaves the client device
+- All sensitive operations (key derivation, encryption/decryption) happen locally
+- Server stores only encrypted data
+- Multi-layer encryption for emails provides secure communication
+- Optional 2FA adds an additional security layer
+- Use of established cryptographic standards (Argon2id, AES-256-GCM, RSA/OAEP)
+
+This security architecture ensures that even if the server is compromised, user data remains secure as all sensitive operations and keys remain strictly on the client side.

docs/assets/diagrams/_README.md

@@ -0,0 +1,32 @@
+
+
+# Diagrams
+
+This folder contains architecture and flow diagrams for AliasVault in various formats.
+
+## Draw.io Diagrams (.drawio)
+Files with `.drawio` extension are created with Draw.io (also known as diagrams.net), an open-source diagramming tool.
+
+### How to Open/Edit Draw.io Files
+1. Web Interface (Cloud)
+    - Visit [diagrams.net](https://app.diagrams.net/)
+    - Open source code available at [github.com/jgraph/drawio](https://github.com/jgraph/drawio)
+
+2. Desktop Applications (Offline)
+    - Available for Windows, macOS, and Linux
+    - Download from [github.com/jgraph/drawio-desktop/releases](https://github.com/jgraph/drawio-desktop/releases)
+    - Open source code available at [github.com/jgraph/drawio-desktop](https://github.com/jgraph/drawio-desktop)
+
+3. VS Code Extension
+    - Install the [Draw.io Integration](https://marketplace.visualstudio.com/items?itemName=hediet.vscode-drawio) extension
+    - Edit diagrams directly within VS Code
+    - Source code at [github.com/hediet/vscode-drawio](https://github.com/hediet/vscode-drawio)
+
+## Mermaid Diagrams (.mmd)
+Files with `.mmd` extension are [Mermaid](https://mermaid.js.org/) format diagrams. These are text-based diagram definitions that can be rendered by various tools.
+
+### Editors & Tools for Mermaid
+- [Mermaid Live Editor](https://github.com/mermaid-js/mermaid-live-editor) - Web-based editor with live preview
+- [VS Code Mermaid Extension](https://github.com/mermaid-js/vscode-mermaid) - Preview and edit Mermaid diagrams directly in VS Code
+- [Obsidian Mermaid Plugin](https://github.com/jobindj/obsidian-mermaid) - If you use Obsidian for documentation
+- [GitLab](https://docs.gitlab.com/ee/user/markdown.html#mermaid) and [GitHub](https://github.blog/2022-02-14-include-diagrams-markdown-files-mermaid/) both render Mermaid diagrams natively in markdown

docs/assets/diagrams/security-architecture/aliasvault-security-architecture.drawio

@@ -0,0 +1,452 @@
+<mxfile host="Electron" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/24.7.17 Chrome/128.0.6613.36 Electron/32.0.1 Safari/537.36" version="24.7.17">
+  <diagram name="Page-1" id="ykhTdbPCDOXpVAqZYsCj">
+    <mxGraphModel dx="1775" dy="1249" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1654" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-1" value="Legend" style="shape=table;startSize=30;container=1;collapsible=0;childLayout=tableLayout;fontSize=16;align=left;verticalAlign=top;fillColor=#0050ef;strokeColor=#001DBC;fontColor=#ffffff;fontStyle=1;spacingLeft=6;spacing=0;resizable=0;" vertex="1" parent="1">
+          <mxGeometry x="275" y="1058" width="723" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-2" value="" style="shape=tableRow;horizontal=0;startSize=0;swimlaneHead=0;swimlaneBody=0;strokeColor=inherit;top=0;left=0;bottom=0;right=0;collapsible=0;dropTarget=0;fillColor=none;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-1">
+          <mxGeometry y="30" width="723" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-3" value="Cryptographic Operations" style="shape=partialRectangle;html=1;whiteSpace=wrap;connectable=0;strokeColor=#432D57;overflow=hidden;fillColor=#76608a;top=0;left=0;bottom=0;right=0;pointerEvents=1;fontSize=12;align=left;fontColor=#ffffff;spacingLeft=10;spacingRight=4;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-2">
+          <mxGeometry width="163" height="30" as="geometry">
+            <mxRectangle width="163" height="30" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-203" value="Storage Elements" style="shape=partialRectangle;html=1;whiteSpace=wrap;connectable=0;strokeColor=#006EAF;overflow=hidden;fillColor=#1ba1e2;top=0;left=0;bottom=0;right=0;pointerEvents=1;fontSize=12;align=left;fontColor=#ffffff;spacingLeft=10;spacingRight=4;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-2">
+          <mxGeometry x="163" width="120" height="30" as="geometry">
+            <mxRectangle width="120" height="30" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-208" value="&lt;span style=&quot;color: rgb(0, 0, 0);&quot;&gt;Keys and Sensitive Data&lt;/span&gt;" style="shape=partialRectangle;html=1;whiteSpace=wrap;connectable=0;strokeColor=#B09500;overflow=hidden;fillColor=#e3c800;top=0;left=0;bottom=0;right=0;pointerEvents=1;fontSize=12;align=left;fontColor=#000000;spacingLeft=10;spacingRight=4;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-2">
+          <mxGeometry x="283" width="170" height="30" as="geometry">
+            <mxRectangle width="170" height="30" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-213" value="Authentication Steps" style="shape=partialRectangle;html=1;whiteSpace=wrap;connectable=0;strokeColor=#2D7600;overflow=hidden;fillColor=#60a917;top=0;left=0;bottom=0;right=0;pointerEvents=1;fontSize=12;align=left;fontColor=#ffffff;spacingLeft=10;spacingRight=4;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-2">
+          <mxGeometry x="453" width="150" height="30" as="geometry">
+            <mxRectangle width="150" height="30" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-218" value="Process step" style="shape=partialRectangle;html=1;whiteSpace=wrap;connectable=0;strokeColor=#6D1F00;overflow=hidden;fillColor=#a0522d;top=0;left=0;bottom=0;right=0;pointerEvents=1;fontSize=12;align=left;fontColor=#ffffff;spacingLeft=10;spacingRight=4;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-2">
+          <mxGeometry x="603" width="120" height="30" as="geometry">
+            <mxRectangle width="120" height="30" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-15" value="Client (WebAssembly)" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="40" y="52" width="1340" height="470" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-63" value="Vault operations" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="526.84" y="82" width="160" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-32" value="Server (REST API)" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="40" y="652" width="1340" height="390" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-43" value="" style="group;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" connectable="0" parent="1">
+          <mxGeometry x="70" y="682.65" width="410" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-33" value="Authentication flow" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry width="410" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-34" value="SRP server verification" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;strokeColor=#432D57;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="150" y="40" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-35" value="2FA (Optional)" style="text;html=1;align=center;verticalAlign=top;whiteSpace=wrap;rounded=0;fillColor=#60a917;strokeColor=#2D7600;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="16" y="120" width="378" height="90" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-81" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-43" source="6F2B19X3ZkVbRV3rCgbW-36" target="6F2B19X3ZkVbRV3rCgbW-37">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-36" value="Google Authenticator or compatible" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#60a917;strokeColor=#2D7600;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="34" y="155" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-82" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-43" source="6F2B19X3ZkVbRV3rCgbW-37" target="6F2B19X3ZkVbRV3rCgbW-38">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-37" value="Time-based OTP" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#60a917;strokeColor=#2D7600;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="154" y="155" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-38" value="Verify OTP code" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#60a917;strokeColor=#2D7600;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="274" y="155" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-39" value="Issue JWT token" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#60a917;strokeColor=#2D7600;fontColor=#ffffff;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-43">
+          <mxGeometry x="150" y="239.35" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-40" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-43" source="6F2B19X3ZkVbRV3rCgbW-34" target="6F2B19X3ZkVbRV3rCgbW-35">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="-256" y="440" as="sourcePoint" />
+            <mxPoint x="-206" y="390" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-41" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-43" source="6F2B19X3ZkVbRV3rCgbW-35" target="6F2B19X3ZkVbRV3rCgbW-39">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="215" y="100" as="sourcePoint" />
+            <mxPoint x="215" y="130" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-44" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-26" target="6F2B19X3ZkVbRV3rCgbW-66">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="369" y="640" as="sourcePoint" />
+            <mxPoint x="419" y="590" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-45" value="SRP handshake" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-44">
+          <mxGeometry x="-0.1654" y="1" relative="1" as="geometry">
+            <mxPoint x="8" y="15" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-27" value="AES256-GCM" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="1">
+          <mxGeometry x="554" y="222" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-26" value="SRP client" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="1">
+          <mxGeometry x="164" y="453" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-60" value="Key derivation and server authentication" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="95" y="82" width="250" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-16" value="Master Password &lt;br&gt;(not persisted)" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="145" y="172" width="150" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-20" value="Argon2Id" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="1">
+          <mxGeometry x="165" y="247" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-22" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-16" target="6F2B19X3ZkVbRV3rCgbW-20">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="405" y="282" as="sourcePoint" />
+            <mxPoint x="455" y="232" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-23" value="Derived Key &lt;br&gt;(stored in app memory)" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="144" y="320" width="150" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-24" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-20" target="6F2B19X3ZkVbRV3rCgbW-23">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="405" y="282" as="sourcePoint" />
+            <mxPoint x="455" y="232" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-28" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;curved=1;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-23" target="6F2B19X3ZkVbRV3rCgbW-26">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="420" y="552" as="sourcePoint" />
+            <mxPoint x="470" y="502" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-30" value="Used for authentication&lt;br&gt;with server" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-28">
+          <mxGeometry x="-0.1756" y="2" relative="1" as="geometry">
+            <mxPoint x="-2" y="24" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-67" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-66" target="6F2B19X3ZkVbRV3rCgbW-34">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-66" value="SRP salt/verifier" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="144" y="559" width="150" height="48" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-72" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-68" target="6F2B19X3ZkVbRV3rCgbW-27">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="609" y="392" />
+              <mxPoint x="609" y="392" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-180" value="Decrypt with&lt;br&gt;derived key" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-72">
+          <mxGeometry x="0.6371" y="-1" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-68" value="Retrieve encrypted vault" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="1">
+          <mxGeometry x="549" y="330" width="120" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-47" value="Server storage" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;container=0;" vertex="1" parent="1">
+          <mxGeometry x="540" y="682.65" width="140" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-70" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-56" target="6F2B19X3ZkVbRV3rCgbW-68">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-181" value="Retrieve vault &lt;br&gt;from server" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-70">
+          <mxGeometry x="0.2454" y="1" relative="1" as="geometry">
+            <mxPoint y="-26" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-56" value="Encrypted Vault(s)" style="shape=cylinder3;whiteSpace=wrap;html=1;boundedLbl=1;backgroundOutline=1;size=15;fillColor=#1ba1e2;fontColor=#ffffff;strokeColor=#006EAF;container=0;" vertex="1" parent="1">
+          <mxGeometry x="556" y="712.65" width="110" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-76" value="Claiming new email address" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="720" y="82" width="250" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-83" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-77" target="6F2B19X3ZkVbRV3rCgbW-79">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-100" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-77" target="6F2B19X3ZkVbRV3rCgbW-78">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-77" value="RSA/OAEP Key Generation" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="1">
+          <mxGeometry x="790" y="122" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-78" value="Public key" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="852" y="202" width="100" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-79" value="Private key" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="742" y="202" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-86" value="" style="group;fillColor=#1ba1e2;fontColor=#ffffff;strokeColor=#006EAF;" vertex="1" connectable="0" parent="1">
+          <mxGeometry x="870" y="687" width="490" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-87" value="Email system" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry width="490" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-113" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-86" source="6F2B19X3ZkVbRV3rCgbW-109" target="6F2B19X3ZkVbRV3rCgbW-112">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-114" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-113">
+          <mxGeometry x="-0.1453" y="2" relative="1" as="geometry">
+            <mxPoint x="2" y="-12" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-116" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-86" source="6F2B19X3ZkVbRV3rCgbW-109" target="6F2B19X3ZkVbRV3rCgbW-115">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-117" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-116">
+          <mxGeometry x="0.3626" y="3" relative="1" as="geometry">
+            <mxPoint x="18" y="-2" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-109" value="Valid Email Claim?" style="rhombus;whiteSpace=wrap;html=1;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry x="298.780487804878" y="225" width="95.60975609756098" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-112" value="Reject email" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry x="380" y="155.65" width="103.41" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-120" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-86" source="6F2B19X3ZkVbRV3rCgbW-115" target="6F2B19X3ZkVbRV3rCgbW-121">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="89.6341463414634" y="201.30000000000007" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-125" value="Encrypt email contents &lt;br&gt;with symmetric key &lt;div&gt;&lt;br/&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-120">
+          <mxGeometry x="-0.4172" y="1" relative="1" as="geometry">
+            <mxPoint x="1" y="-1" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-133" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-86" source="6F2B19X3ZkVbRV3rCgbW-115" target="6F2B19X3ZkVbRV3rCgbW-124">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-115" value="Random generated&lt;br&gt;symmetric key" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry x="239.9982926829268" y="145.65" width="131.46341463414635" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-121" value="AES256-GCM" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry x="95.60975609756098" y="35.650000000000006" width="119.51219512195121" height="35.65" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-137" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.25;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="6F2B19X3ZkVbRV3rCgbW-86" source="6F2B19X3ZkVbRV3rCgbW-124" target="6F2B19X3ZkVbRV3rCgbW-121">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-124" value="Encrypt symmetric key with public key" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="6F2B19X3ZkVbRV3rCgbW-86">
+          <mxGeometry x="70.00121951219514" y="105.65" width="131.46341463414635" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-101" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=1;entryY=0.25;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-78" target="6F2B19X3ZkVbRV3rCgbW-99">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="892" y="292" />
+              <mxPoint x="750" y="292" />
+              <mxPoint x="750" y="882" />
+              <mxPoint x="666" y="882" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-102" value="Save in server &lt;br&gt;public key store" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-101">
+          <mxGeometry x="0.4464" y="-2" relative="1" as="geometry">
+            <mxPoint x="9" y="-242" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-103" value="Register new email&lt;br&gt;claim" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="1">
+          <mxGeometry x="781" y="332" width="120" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-140" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.75;exitDx=0;exitDy=0;entryX=0.25;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-99" target="6F2B19X3ZkVbRV3rCgbW-124">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-141" value="Retrieve public key&lt;div&gt;associated with email claim&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-140">
+          <mxGeometry x="0.4692" relative="1" as="geometry">
+            <mxPoint x="17" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-99" value="Public key store" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#1ba1e2;strokeColor=#006EAF;fontColor=#ffffff;" vertex="1" parent="1">
+          <mxGeometry x="556" y="872.65" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-138" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-105" target="6F2B19X3ZkVbRV3rCgbW-109">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-153" value="Retrieve registered email &lt;br&gt;address claims" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-138">
+          <mxGeometry x="0.2388" y="-5" relative="1" as="geometry">
+            <mxPoint x="-10" y="-2" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-105" value="Email claim store" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#1ba1e2;strokeColor=#006EAF;fontColor=#ffffff;" vertex="1" parent="1">
+          <mxGeometry x="555" y="932.65" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-158" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-107" target="6F2B19X3ZkVbRV3rCgbW-109">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-107" value="External email received from internet" style="shape=message;html=1;html=1;outlineConnect=0;labelPosition=center;verticalLabelPosition=bottom;align=center;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="1186.3899999999999" y="1058" width="60" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-106" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" edge="1" parent="1">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="830" y="372" as="sourcePoint" />
+            <mxPoint x="665" y="942" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="830" y="372" />
+              <mxPoint x="830" y="942" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-152" value="Register email claim&lt;br&gt;on server" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-106">
+          <mxGeometry x="-0.3735" relative="1" as="geometry">
+            <mxPoint x="11" y="-153" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-123" value="Encrypted email(s)" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#1ba1e2;strokeColor=#006EAF;fontColor=#ffffff;" vertex="1" parent="1">
+          <mxGeometry x="556" y="812.65" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-134" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=1;entryY=0.75;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-121" target="6F2B19X3ZkVbRV3rCgbW-123">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="1025" y="703" />
+              <mxPoint x="850" y="703" />
+              <mxPoint x="850" y="843" />
+              <mxPoint x="666" y="843" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-135" value="Store encrypted email" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-134">
+          <mxGeometry x="0.6857" relative="1" as="geometry">
+            <mxPoint x="-1" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-136" value="Email retrieval and decryption" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" vertex="1" parent="1">
+          <mxGeometry x="996.3900000000001" y="82" width="250" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-145" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-143" target="6F2B19X3ZkVbRV3rCgbW-144">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-146" value="Decrypt email using private key&lt;br&gt;&amp;nbsp;stored in vault" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-145">
+          <mxGeometry x="0.1105" y="2" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-143" value="Retrieve encrypted email" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="1">
+          <mxGeometry x="1061.39" y="122" width="120" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-148" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-144" target="6F2B19X3ZkVbRV3rCgbW-162">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="1121.39" y="322" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-144" value="AES256-GCM" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fillColor=#76608a;fontColor=#ffffff;strokeColor=#432D57;" vertex="1" parent="1">
+          <mxGeometry x="1066.39" y="232" width="110" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-150" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.25;exitDx=0;exitDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-123">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="1060" y="142" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="672" y="823" />
+              <mxPoint x="920" y="822" />
+              <mxPoint x="920" y="482" />
+              <mxPoint x="1040" y="482" />
+              <mxPoint x="1040" y="142" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-151" value="Retrieve encrypted email" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-150">
+          <mxGeometry x="-0.6389" y="-1" relative="1" as="geometry">
+            <mxPoint x="-117" y="-1" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-159" value="" style="shape=image;aspect=fixed;image=data:image/svg+xml,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCA1MDAgNTAwIiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCA1MDAgNTAwIiB4bWw6c3BhY2U9InByZXNlcnZlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCBkPSJtNDU5Ljg3IDI5NC45NWMwLjAxNjIwNSA1LjQwMDUgMC4wMzI0MSAxMC44MDEtMC4zNTAyMiAxNi44NzMtMS4xMTEgNi4zMzkyLTEuMTk0MSAxMi4xNzMtMi42MzUxIDE3LjY0OS0xMC45MjIgNDEuNTA4LTM2LjczMSA2OS40ODEtNzcuMzUxIDgzLjQwOC03LjIxNTcgMi40NzM5LTE0Ljk3MiAzLjM3MDItMjIuNDc5IDQuOTk1LTIzLjYyOSAwLjA0MjIwNS00Ny4yNTcgMC4xMTQ1My03MC44ODYgMC4xMjAyNy00Ni43NjIgMC4wMTEzMjItOTMuNTIzLTAuMDE0MTYtMTQwLjk1LTAuNDM0MTEtOC41OS0yLjAwMjQtMTYuNzY2LTIuODM1Mi0yNC4zOTgtNS4zMzI2LTIxLjU5NS03LjA2NjYtMzkuNTIzLTE5LjY1Ni01My43MDgtMzcuNTUyLTEwLjIyNy0xMi45MDMtMTcuNTc5LTI3LjE3LTIxLjI4LTQzLjIyMS0xLjQ3NS02LjM5NjctMi40NzExLTEyLjkwNC0zLjY4NTItMTkuMzYxLTAuMDUxODQ5LTUuNzQ3LTAuMTAzNy0xMS40OTQgMC4yNjkxNS0xNy44ODYgNC4xNTktNDIuOTczIDI3LjY4LTcxLjYzOCA2My41NjItOTIuMTUzIDAtMC43MDc2MS0wLjAwMTk2MS0xLjY5ODggMy4xMmUtNCAtMi42OSAwLjAyMjQ4NC05LjgyOTMtMS4zMDcxLTE5Ljg5NCAwLjM1NjY0LTI5LjQzOCAzLjIzOTEtMTguNTc5IDExLjA4LTM1LjI3MiAyMy43NjMtNDkuNzczIDEyLjA5OC0xMy44MzIgMjYuNDU3LTIzLjk4OSA0My42MDktMzAuMDI5IDcuODEzLTIuNzUxMiAxNi4xNC00LjA0MTcgMjQuMjM0LTUuOTk0OCA3LjM5Mi0wLjAyNTczNCAxNC43ODQtMC4wNTE0NiAyMi44MzUgMC4zMjI1MyA0LjE5NTkgMC45NTM5MiA3Ljc5NDYgMS4yNTM4IDExLjI1OCAyLjEwNTMgMTcuMTYgNC4yMTkyIDMyLjI4NyAxMi4xNzYgNDUuNDY5IDI0LjEwNCAyLjI1NTggMi4wNDExIDQuMzcyIDYuNjI0MSA5LjYyMSAzLjg2OCAxNi44MzktOC44NDE5IDM0LjcxOC0xMS41OTcgNTMuNjAzLTguNTk0IDE2Ljc5MSAyLjY2OTkgMzEuNjAyIDkuNDMwOCA0NC4yMzYgMjAuNjM2IDExLjUzMSAxMC4yMjcgMTkuODQgMjIuODQxIDI1LjM5MyAzNy4yMzYgNi4zNDM2IDE2LjQ0NSAxMC4zODkgMzMuMTYzIDYuMDc5OCA0OS4zODkgNy45NTg3IDguOTMyMSAxNS44MDcgMTYuNzA0IDIyLjQyMSAyNS40MTQgOS4xNjIgMTIuMDY1IDE1LjMzIDI1Ljc0NiAxOC4xNDQgNDAuNzc2IDAuOTcwNDYgNS4xODQ4IDEuOTExMSAxMC4zNzUgMi44NjU0IDE1LjU2M20tNzEuNTk3IDcxLjAxMmM1LjU2MTUtNS4yMjg0IDEyLjAwMi05Ljc5ODYgMTYuNTA4LTE1LjgxNyAxMC40NzQtMTMuOTkyIDE0LjMzMy0yOS45MTYgMTEuMjg4LTQ3LjQ0Ni0yLjI0OTYtMTIuOTUtOC4xOTczLTI0LjA3Ni0xNy4yNDMtMzMuMDYzLTEyLjc0Ni0xMi42NjMtMjguODY1LTE4LjYxNC00Ni43ODYtMTguNTY5LTY5LjkxMiAwLjE3NzEyLTEzOS44MiAwLjU2ODMxLTIwOS43NCAwLjk2MTc2LTE1LjkyMiAwLjA4OTU5OS0yOS4xNjggNy40MjA5LTM5LjY4NSAxOC4yOTYtMTQuNDUgMTQuOTQ0LTIwLjQwOCAzMy4zNDMtMTYuNjU1IDU0LjM2OCAyLjI3NjMgMTIuNzU0IDguMjE2NyAyMy43NDggMTcuMTU4IDMyLjY2IDEzLjI5OSAxMy4yNTUgMzAuMDk3IDE4LjY1MyA0OC43MjggMTguNjUxIDU5LjMyMS0wLjAwNTE4OCAxMTguNjQgMC4wNDIzNTggMTc3Ljk2LTAuMDQ2NjAxIDkuNTkxMi0wLjAxNDM3NCAxOS4xODEtMC44NjU4OCAyOC43NzMtMC44ODg1NSAxMC42NDktMC4wMjUxNDYgMTkuOTc4LTMuODI1IDI5LjY4Ny05LjEwNzR6IiBmaWxsPSIjRUVDMTcwIi8+CjxwYXRoIGQ9Im0xNjIuNzcgMjkzYzE1LjY1NCA0LjM4ODMgMjAuNjI3IDIyLjk2NyAxMC4zMDQgMzQuOTgtNS4zMTA0IDYuMTc5NS0xNC44MTcgOC4zMjA4LTI0LjI3OCA1LjA0NzItNy4wNzIzLTIuNDQ3MS0xMi4zMzItMTAuMzYyLTEyLjg3Ni0xNy45MzMtMS4wNDUxLTE0LjU0MiAxMS4wODktMjMuMTc2IDIxLjcwNS0yMy4wNDYgMS41Nzk0IDAuMDE5Mjg3IDMuMTUxNyAwLjYxNTY2IDUuMTQ2MSAwLjk1MTg0eiIgZmlsbD0iI0VFQzE3MCIvPgo8cGF0aCBkPSJtMjI3LjE4IDI5My42NGM3Ljg0OTkgMi4zOTczIDExLjkzOCA4LjIxNDMgMTMuNTI0IDE1LjA3NyAxLjg1OTEgOC4wNDM5LTAuNDQ4MTcgMTUuNzA2LTcuMTU4OCAyMS4xMjEtNi43NjMzIDUuNDU3Mi0xNC40MTcgNi44Nzk0LTIyLjU3OCAzLjE0ODMtOC4yOTcyLTMuNzkzMy0xMi44MzYtMTAuODQ5LTEyLjczNi0xOS40MzggMC4xNjg3LTE0LjQ5NyAxNC4xMy0yNS4zNjggMjguOTQ4LTE5LjkwOHoiIGZpbGw9IiNFRUMxNzAiLz4KPHBhdGggZD0ibTI2MS41NyAzMTkuMDdjLTIuNDk1LTE0LjQxOCA0LjY4NTMtMjIuNjAzIDE0LjU5Ni0yNi4xMDggOS44OTQ1LTMuNDk5NSAyMy4xODEgMy40MzAzIDI2LjI2NyAxMy43NzkgNC42NTA0IDE1LjU5MS03LjE2NTEgMjkuMDY0LTIxLjY2NSAyOC4xNjEtOC41MjU0LTAuNTMwODgtMTcuMjAyLTYuNTA5NC0xOS4xOTgtMTUuODMxeiIgZmlsbD0iI0VFQzE3MCIvPgo8cGF0aCBkPSJtMzM2LjkxIDMzMy40MWMtOS4wMTc1LTQuMjQ5MS0xNS4zMzctMTQuMzQ5LTEzLjgyOS0yMS42ODIgMy4wODI1LTE0Ljk4OSAxMy4zNDEtMjAuMzA0IDIzLjAxOC0xOS41ODUgMTAuNjUzIDAuNzkxNDEgMTcuOTMgNy40MDcgMTkuNzY1IDE3LjU0NyAxLjk1ODggMTAuODI0LTQuMTE3MSAxOS45MzktMTMuNDk0IDIzLjcwMy01LjI3MiAyLjExNjItMTAuMDkxIDEuNTA4Ni0xNS40NiAwLjAxNzg4M3oiIGZpbGw9IiNFRUMxNzAiLz4KPC9zdmc+Cg==;" vertex="1" parent="1">
+          <mxGeometry x="40" y="1060" width="58" height="58" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-160" value="AliasVault" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;fontSize=24;fontStyle=1" vertex="1" parent="1">
+          <mxGeometry x="100" y="1064" width="130" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-161" value="Security architecture 0.6.0" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="1">
+          <mxGeometry x="98" y="1088" width="160" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-162" value="Decrypted email" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="1056.39" y="320" width="130" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-58" value="JWT token for &lt;br&gt;authenticating&lt;br&gt;with REST API" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;fillColor=#e3c800;fontColor=#000000;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="364" y="559" width="155" height="48" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-165" value="Client local storage" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;container=0;" vertex="1" parent="1">
+          <mxGeometry x="370" y="82" width="140" height="320" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-166" value="Decrypted vault&lt;br&gt;(app memory)" style="shape=cylinder3;whiteSpace=wrap;html=1;boundedLbl=1;backgroundOutline=1;size=15;fillColor=#1ba1e2;fontColor=#ffffff;strokeColor=#006EAF;container=0;" vertex="1" parent="1">
+          <mxGeometry x="380" y="112" width="110" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-167" value="JWT Token&lt;br&gt;(browser local storage)" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#1ba1e2;strokeColor=#006EAF;fontColor=#ffffff;" vertex="1" parent="1">
+          <mxGeometry x="383" y="312" width="116" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-169" value="Derived Key&lt;br&gt;(app&lt;span style=&quot;background-color: initial;&quot;&gt;&amp;nbsp;memory)&lt;/span&gt;" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#1ba1e2;strokeColor=#006EAF;fontColor=#ffffff;" vertex="1" parent="1">
+          <mxGeometry x="383" y="242" width="116" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-84" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-79" target="6F2B19X3ZkVbRV3rCgbW-166">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="630" y="222" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="752" y="152" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-85" value="Stored in vault" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-84">
+          <mxGeometry x="0.3345" y="3" relative="1" as="geometry">
+            <mxPoint x="7" y="-3" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-170" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="6F2B19X3ZkVbRV3rCgbW-169">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="280" y="342" as="sourcePoint" />
+            <Array as="points">
+              <mxPoint x="320" y="342" />
+              <mxPoint x="320" y="267" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-173" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-58" target="6F2B19X3ZkVbRV3rCgbW-167">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-174" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-39" target="6F2B19X3ZkVbRV3rCgbW-58">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="500" y="942" />
+              <mxPoint x="500" y="632" />
+              <mxPoint x="442" y="632" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-176" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-175" target="6F2B19X3ZkVbRV3rCgbW-16">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-175" value="User login" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#a0522d;fontColor=#ffffff;strokeColor=#6D1F00;" vertex="1" parent="1">
+          <mxGeometry x="162" y="112" width="120" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-178" value="&lt;span style=&quot;&quot;&gt;JWT token protected API endpoints&lt;/span&gt;" style="shape=corner;whiteSpace=wrap;html=1;fontColor=default;fillColor=#e3c800;strokeColor=#B09500;" vertex="1" parent="1">
+          <mxGeometry x="567" y="552" width="803" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-179" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="6F2B19X3ZkVbRV3rCgbW-27" target="6F2B19X3ZkVbRV3rCgbW-166">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="609" y="212" />
+              <mxPoint x="435" y="212" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="6F2B19X3ZkVbRV3rCgbW-182" value="Store vault &lt;br&gt;in local WASM memory" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="6F2B19X3ZkVbRV3rCgbW-179">
+          <mxGeometry x="-0.4412" y="1" relative="1" as="geometry">
+            <mxPoint x="28" y="-21" as="offset" />
+          </mxGeometry>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>

docs/assets/diagrams/security-architecture/security-architecture.mmd

@@ -0,0 +1,118 @@
+%%{ init: { 'flowchart': { 'curve': 'basis' } } }%%
+graph TB
+    %% Legend
+    subgraph Legend["Legend"]
+        L_CRYPTO["Cryptographic Operations"]
+        L_STORAGE["Storage Elements"]
+        L_KEY["Keys and Sensitive Data"]
+        L_PROCESS["Process Steps"]
+        L_AUTH["Authentication Steps"]
+        L_FLOW["Email Processing Flow"]
+    end
+
+    subgraph Client["Client (Local Only Operations)"]
+        direction TB
+        MP[/"Master Password\n(never leaves client)"/]
+
+        subgraph KD["1. Key Derivation"]
+            A2["Argon2id"]
+            DK[/"Derived Key"/]
+            MP --> A2
+            A2 --> DK
+            DK --> |"used for vault\nencryption/decryption"| AES
+            DK --> |"used for authentication"| SRP_C
+        end
+
+        subgraph VE["3. Vault Operations"]
+            AES["AES256-GCM"]
+            VAULT["Encrypted Vault Contents"]
+            AES --> |"encrypt/decrypt"| VAULT
+        end
+
+        subgraph KP["4. Email Key Management"]
+            RSA["RSA/OAEP Key Generation"]
+            PRK[/"Private Key\n(stored in vault)"/]
+            PBK[/"Public Key"/]
+            RSA --> |"generates pair"| PRK
+            RSA --> |"generates pair"| PBK
+        end
+
+        subgraph ED["5. Email Decryption"]
+            PRK --> |"decrypt symmetric key"| SK[/"Symmetric Key\n(AES256)"/]
+            SK --> |"decrypt email"| DC["Decrypted Email"]
+        end
+    end
+
+    subgraph Server["Server"]
+        direction TB
+
+        subgraph AUTH["Authentication Flow"]
+            SRP_S["SRP Verification"]
+            subgraph FA["2FA (Optional)"]
+                TOTP["Time-based OTP"]
+                GA["Google Authenticator\nor Compatible App"]
+                VERIFY["Verify OTP Code"]
+                GA --> |"generate code"| TOTP
+                TOTP --> |"user enters"| VERIFY
+            end
+            JWT["Issue JWT Token"]
+            SRP_S --> FA
+            FA --> |"if 2FA enabled"| JWT
+            SRP_S --> |"if 2FA disabled"| JWT
+        end
+
+        subgraph VS["Vault Storage"]
+            EV["Encrypted Vault Data"]
+        end
+
+        subgraph ES["Email System"]
+            EC["Email Claims"]
+            PKS["Public Key Store"]
+
+            subgraph EP["Email Processing"]
+                CHECK{"Valid\nEmail Claim?"}
+                REJECT["Reject Email"]
+                ESK[/"Generate Random\nSymmetric Key"/]
+                EE["Encrypt Email\nContent"]
+                ESP["Encrypt Symmetric Key\nwith Public Key"]
+                EST["Store Encrypted Email\n& Encrypted Sym Key"]
+
+                CHECK --> |"No"| REJECT
+                CHECK --> |"Yes"| ESK
+                ESK --> EE
+                ESK --> ESP
+                EE --> EST
+                ESP --> EST
+            end
+        end
+    end
+
+    %% Client-Server Interactions
+    SRP_C["SRP Client"] <--> |"SRP Authentication"| SRP_S
+    AES <--> |"encrypted vault transfer"| EV
+    PBK --> |"register"| PKS
+    EST --> |"retrieve encrypted\nemail & sym key"| ED
+
+    %% Styling
+    classDef process fill:#ddd,stroke:#333,stroke-width:2px
+    classDef storage fill:#b7e3fc,stroke:#333,stroke-width:2px
+    classDef key fill:#fef08a,stroke:#333,stroke-width:2px
+    classDef crypto fill:#e9d5ff,stroke:#333,stroke-width:2px
+    classDef auth fill:#86efac,stroke:#333,stroke-width:2px
+    classDef flow fill:#fca5a5,stroke:#333,stroke-width:2px
+
+    %% Apply styles to legend
+    class L_CRYPTO crypto
+    class L_STORAGE storage
+    class L_KEY key
+    class L_PROCESS process
+    class L_AUTH auth
+    class L_FLOW flow
+
+    %% Apply styles to elements
+    class A2,SRP_C,SRP_S,RSA,AES crypto
+    class EV,EST storage
+    class MP,DK,PRK,PBK,SK,ESK key
+    class KD,VE,KP,ED process
+    class SRP_S,FA,JWT,TOTP,VERIFY auth
+    class CHECK,EP flow

docs/assets/img/logo.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg enable-background="new 0 0 800 500" version="1.1" viewBox="-1.84 7.892 1822.253 474.315" xmlns="http://www.w3.org/2000/svg" xmlns:bx="https://boxy-svg.com" width="1822.253px" height="474.315px"><defs><bx:export><bx:file format="svg"/></bx:export></defs><path d="m459.87 294.95c0.016205 5.4005 0.03241 10.801-0.35022 16.873-1.111 6.3392-1.1941 12.173-2.6351 17.649-10.922 41.508-36.731 69.481-77.351 83.408-7.2157 2.4739-14.972 3.3702-22.479 4.995-23.629 0.042205-47.257 0.11453-70.886 0.12027-46.762 0.011322-93.523-0.01416-140.95-0.43411-8.59-2.0024-16.766-2.8352-24.398-5.3326-21.595-7.0666-39.523-19.656-53.708-37.552-10.227-12.903-17.579-27.17-21.28-43.221-1.475-6.3967-2.4711-12.904-3.6852-19.361-0.051849-5.747-0.1037-11.494 0.26915-17.886 4.159-42.973 27.68-71.638 63.562-92.153 0-0.70761-0.001961-1.6988 3.12e-4 -2.69 0.022484-9.8293-1.3071-19.894 0.35664-29.438 3.2391-18.579 11.08-35.272 23.763-49.773 12.098-13.832 26.457-23.989 43.609-30.029 7.813-2.7512 16.14-4.0417 24.234-5.9948 7.392-0.025734 14.784-0.05146 22.835 0.32253 4.1959 0.95392 7.7946 1.2538 11.258 2.1053 17.16 4.2192 32.287 12.176 45.469 24.104 2.2558 2.0411 4.372 6.6241 9.621 3.868 16.839-8.8419 34.718-11.597 53.603-8.594 16.791 2.6699 31.602 9.4308 44.236 20.636 11.531 10.227 19.84 22.841 25.393 37.236 6.3436 16.445 10.389 33.163 6.0798 49.389 7.9587 8.9321 15.807 16.704 22.421 25.414 9.162 12.065 15.33 25.746 18.144 40.776 0.97046 5.1848 1.9111 10.375 2.8654 15.563m-71.597 71.012c5.5615-5.2284 12.002-9.7986 16.508-15.817 10.474-13.992 14.333-29.916 11.288-47.446-2.2496-12.95-8.1973-24.076-17.243-33.063-12.746-12.663-28.865-18.614-46.786-18.569-69.912 0.17712-139.82 0.56831-209.74 0.96176-15.922 0.089599-29.168 7.4209-39.685 18.296-14.45 14.944-20.408 33.343-16.655 54.368 2.2763 12.754 8.2167 23.748 17.158 32.66 13.299 13.255 30.097 18.653 48.728 18.651 59.321-0.005188 118.64 0.042358 177.96-0.046601 9.5912-0.014374 19.181-0.86588 28.773-0.88855 10.649-0.025146 19.978-3.825 29.687-9.1074z" fill="#EEC170"/><path d="m162.77 293c15.654 4.3883 20.627 22.967 10.304 34.98-5.3104 6.1795-14.817 8.3208-24.278 5.0472-7.0723-2.4471-12.332-10.362-12.876-17.933-1.0451-14.542 11.089-23.176 21.705-23.046 1.5794 0.019287 3.1517 0.61566 5.1461 0.95184z" fill="#EEC170"/><path d="m227.18 293.64c7.8499 2.3973 11.938 8.2143 13.524 15.077 1.8591 8.0439-0.44817 15.706-7.1588 21.121-6.7633 5.4572-14.417 6.8794-22.578 3.1483-8.2972-3.7933-12.836-10.849-12.736-19.438 0.1687-14.497 14.13-25.368 28.948-19.908z" fill="#EEC170"/><path d="m261.57 319.07c-2.495-14.418 4.6853-22.603 14.596-26.108 9.8945-3.4995 23.181 3.4303 26.267 13.779 4.6504 15.591-7.1651 29.064-21.665 28.161-8.5254-0.53088-17.202-6.5094-19.198-15.831z" fill="#EEC170"/><path d="m336.91 333.41c-9.0175-4.2491-15.337-14.349-13.829-21.682 3.0825-14.989 13.341-20.304 23.018-19.585 10.653 0.79141 17.93 7.407 19.765 17.547 1.9588 10.824-4.1171 19.939-13.494 23.703-5.272 2.1162-10.091 1.5086-15.46 0.017883z" fill="#EEC170"/><text style="fill: rgb(255, 255, 255); font-family: Arial, sans-serif; font-size: 268.3px; font-weight: 700; white-space: pre;" x="531.151" y="358.747">AliasVault</text></svg>

docs/contact/index.md

@@ -0,0 +1,14 @@
+---
+layout: default
+title: Help and Support
+has_children: true
+nav_order: 100
+---
+
+# Help and Support
+
+If you need help or have any questions about installing or using AliasVault, you can reach us on [AliasVault Discord](https://discord.gg/DsaXMTEtpF).
+
+If you have found a bug or have a feature request, please open an issue on [AliasVault GitHub](https://github.com/lanedirt/AliasVault/issues).
+
+If you have any other questions or feedback, please use the contact form on the [AliasVault website](https://aliasvault.net/contact).

docs/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+    jekyll:
+        build: .
+        volumes:
+            - .:/srv/jekyll
+        ports:
+            - "4000:4000"
+        command: bundle exec jekyll serve --host 0.0.0.0 --watch --force_polling --livereload
+        environment:
+            - JEKYLL_ENV=development
+            - JEKYLL_NO_CACHE=true
+            - DISABLE_DISK_CACHE=true

docs/index.md

@@ -0,0 +1,45 @@
+---
+layout: home
+title: Home
+nav_order: 1
+description: "AliasVault Documentation - Open-source password and identity manager"
+permalink: /
+---
+
+# AliasVault Documentation
+{: .fs-9 }
+
+Open-source password and identity manager with email alias generation and zero-knowledge architecture.
+{: .fs-6 .fw-300 }
+
+[Installation](./installation/install){: .btn .btn-primary .fs-5 .mb-4 .mb-md-0 .mr-2 }
+[View on GitHub](https://github.com/lanedirt/AliasVault){: .btn .fs-5 .mb-4 .mb-md-0 }
+
+---
+
+## What is AliasVault?
+
+AliasVault is a self-hosted password and identity manager that helps you:
+
+- 🔐 **Secure Passwords** - Store and manage passwords with zero-knowledge encryption
+- 📧 **Email Aliases** - Generate unique email addresses for each service
+- 🎭 **Identity Management** - Create and manage separate online identities
+- 🏠 **Self-Hosted** - Run on your own infrastructure using Docker
+- 🔓 **Open Source** - Transparent, auditable, and free to use
+
+## Key Features
+
+### Zero-Knowledge Architecture
+All data is end-to-end encrypted on the client. Your master password never leaves your device, and the server never has access to your data.
+
+### Built-in Email Server
+Generate virtual email addresses for each identity. Emails sent to these addresses are instantly visible in the AliasVault app.
+
+### Virtual Identities
+Create separate identities for different purposes, each with its own email aliases and credentials.
+
+---
+
+## Getting Started
+
+Ready to get started with AliasVault? Check out the [installation guide](./installation).

docs/installation/advanced/build-from-source.md

@@ -0,0 +1,33 @@
+---
+layout: default
+title: Build from Source
+parent: Advanced
+nav_order: 1
+---
+
+# Build from Source
+Instead of using the pre-built Docker images, you can also build the images from source yourself. This allows you to build a specific version of AliasVault and/or to make changes to the source code.
+
+Building from source requires more resources:
+- Minimum 4GB RAM (more RAM will speed up build time)
+- At least 1 vCPU
+- 40GB+ disk space (for dependencies and build artifacts)
+- Docker installed
+- Git installed
+
+## Steps
+1. Clone the repository
+```bash
+git clone https://github.com/lanedirt/AliasVault.git
+cd AliasVault
+```
+2. Make the build script executable and run it. This will create the .env file, build the Docker images locally from source, and start the AliasVault containers. Follow the on-screen prompts to configure AliasVault.
+```bash
+chmod +x install.sh
+./install.sh build
+```
+> **Note:** The build process can take a while depending on your hardware (5-15 minutes).
+
+3.  After the script completes, you can access AliasVault at:
+  - Client: `https://localhost`
+  - Admin: `https://localhost/admin`

docs/installation/advanced/database.md

@@ -0,0 +1,22 @@
+---
+layout: default
+title: Database Backup
+parent: Advanced
+nav_order: 2
+---
+
+# Database Backup
+
+In order to backup the database, you can use the `install.sh` script. This script will stop all services, export the database to a file, and then restart the services.
+
+```bash
+./install.sh db-backup > backup.sql.gz
+```
+
+# Database Restore
+
+To restore the database, you can use the `install.sh` script. This script will stop all services, drop the database, import the database from a file, and then restart the services.
+
+```bash
+./install.sh db-restore < backup.sql.gz
+```

docs/installation/advanced/index.md

@@ -0,0 +1,9 @@
+---
+layout: default
+title: Advanced
+parent: Installation Guide
+nav_order: 2
+---
+
+# Advanced Installation
+The following guides provide more advanced installation options for AliasVault. These options are not required for the basic installation, but may be useful for advanced users.

docs/installation/advanced/manual-setup.md

@@ -0,0 +1,175 @@
+---
+layout: default
+title: Manual Setup
+parent: Advanced
+nav_order: 3
+---
+
+# Manual Setup
+
+If you prefer to manually set up AliasVault, this README provides step-by-step instructions. Follow these steps if you prefer to execute all statements yourself.
+
+## Prerequisites
+
+- Docker and Docker Compose installed on your system
+- OpenSSL for generating random passwords
+
+## Steps
+
+1. **Create required directories**
+
+   Create the following directories in your project root:
+   ```bash
+   mkdir -p certificates/ssl certificates/app database/postgres
+   ```
+
+2. **Create .env file**
+
+   Copy the `.env.example` file to create a new `.env` file:
+   ```bash
+   cp .env.example .env
+   ```
+
+3. **Set HOSTNAME**
+
+   Update the .env file with your hostname (default is localhost):
+   ```bash
+   HOSTNAME=localhost
+   ```
+
+4. **Set default ports**
+
+   Update the .env file with the ports you want to use for the AliasVault components. The values defined here are used by the docker-compose.yml file.
+   ```bash
+   HTTP_PORT=80
+   HTTPS_PORT=443
+   SMTP_PORT=25
+   SMTP_TLS_PORT=587
+   ```
+
+5. **Generate and set JWT_KEY**
+
+   Generate a random 32-char string for JWT token generation:
+   ```bash
+   openssl rand -base64 32
+   ```
+
+   Add the generated key to the .env file:
+   ```bash
+   JWT_KEY=your_generated_key_here
+   ```
+
+6. **Generate and set DATA_PROTECTION_CERT_PASS**
+
+   Generate a random password for the data protection certificate:
+   ```bash
+   openssl rand -base64 32
+   ```
+
+   Add it to the .env file:
+   ```bash
+   DATA_PROTECTION_CERT_PASS=your_generated_password_here
+   ```
+
+7. **Configure PostgreSQL Settings**
+
+   Set the following PostgreSQL-related variables in your .env file:
+   ```bash
+   # Database name (default: aliasvault)
+   POSTGRES_DB=aliasvault
+
+   # Database user (default: aliasvault)
+   POSTGRES_USER=aliasvault
+
+   # Generate a secure password for PostgreSQL
+   POSTGRES_PASSWORD=$(openssl rand -base64 32)
+   ```
+
+8. **Set PRIVATE_EMAIL_DOMAINS**
+
+   Update the .env file with allowed email domains. Use DISABLED.TLD to disable email support:
+   ```bash
+   PRIVATE_EMAIL_DOMAINS=yourdomain.com,anotherdomain.com
+   ```
+   Or to disable email:
+   ```bash
+   PRIVATE_EMAIL_DOMAINS=DISABLED.TLD
+   ```
+
+9. **Set SUPPORT_EMAIL (Optional)**
+
+   Add a support email address if desired:
+   ```bash
+   SUPPORT_EMAIL=support@yourdomain.com
+   ```
+
+10. **Generate admin password**
+
+   Build the Docker image for password hashing:
+   ```bash
+   docker build -t installcli -f src/Utilities/AliasVault.InstallCli/Dockerfile .
+   ```
+
+   Generate the password hash:
+   ```bash
+   docker run --rm installcli "your_preferred_admin_password_here"
+   ```
+
+   Add the password hash and generation timestamp to the .env file:
+   ```bash
+   ADMIN_PASSWORD_HASH=<output_from_previous_command>
+   ADMIN_PASSWORD_GENERATED=2024-01-01T00:00:00Z
+   ```
+
+11. **Optional configuration**
+   Enable or disable public registration of new users:
+   ```bash
+   PUBLIC_REGISTRATION_ENABLED=false
+   ```
+
+12. **Build and start Docker containers**
+
+    Build the Docker Compose stack:
+    ```bash
+    docker compose -f docker-compose.yml -f docker-compose.build.yml build
+    ```
+
+    Start the Docker Compose stack:
+    ```bash
+    docker compose -f docker-compose.yml -f docker-compose.build.yml up -d
+    ```
+
+13. **Access AliasVault**
+
+    AliasVault should now be running. You can access it at:
+
+    - Admin Panel: https://localhost/admin
+        - Username: admin
+        - Password: [Use the password you set in step 9]
+
+    - Client Website: https://localhost/
+        - Create your own account from here
+
+## Important Notes
+
+- Make sure to save both the admin password and PostgreSQL password in a secure location.
+- If you need to reset the admin password in the future, repeat step 9 and restart the Docker containers.
+- Always keep your .env file secure and do not share it, as it contains sensitive information.
+- The PostgreSQL data is persisted in the `database/postgres` directory.
+
+## Troubleshooting
+
+If you encounter any issues during the setup:
+
+1. Check the Docker logs:
+   ```bash
+   docker compose logs
+   ```
+2. Ensure all required ports (80, 443, and 5432) are available and not being used by other services.
+3. Verify that all environment variables in the .env file are set correctly.
+4. Check PostgreSQL container logs specifically:
+   ```bash
+   docker compose logs postgres
+   ```
+
+For further assistance, please refer to the project documentation or seek support through the appropriate channels.

docs/installation/index.md

@@ -0,0 +1,8 @@
+---
+layout: default
+title: Installation Guide
+nav_order: 2
+---
+
+# Installation Guide
+The following guide will walk you through the steps to install AliasVault on your own server. Minimum experience with Docker and Linux is required.

docs/installation/install.md

@@ -0,0 +1,164 @@
+---
+layout: default
+title: Basic Install
+parent: Installation Guide
+nav_order: 1
+---
+
+# Basic Install
+The following guide will walk you through the steps to install AliasVault on your own server. Minimum experience with Docker and Linux is required.
+
+{: .toc }
+* TOC
+{:toc}
+
+---
+
+## 1. Basic Installation
+To get AliasVault up and running quickly, run the install script to pull pre-built Docker images. The install script will also configure the .env file and start the AliasVault containers. You can get up and running in less than 5 minutes.
+
+### Hardware requirements
+- Linux VM with root access (Ubuntu or RHEL based distros recommended)
+- 1 vCPU
+- 1GB RAM
+- 16GB disk space
+- Docker installed
+
+### Installation steps
+1. Download the install script to a directory of your choice. All AliasVault files and directories will be created in this directory.
+```bash
+curl -o install.sh https://raw.githubusercontent.com/lanedirt/AliasVault/main/install.sh
+```
+2. Make the install script executable.
+```bash
+chmod +x install.sh
+```
+3. Run the install script. This will create the .env file, pull the Docker images, and start the AliasVault containers. Follow the on-screen prompts to configure AliasVault.
+```bash
+./install.sh install
+```
+> **Note**: AliasVault binds to ports 80 and 443 by default. If you want to change the default AliasVault ports you can do so in the `.env` file. Afterwards re-run the `./install.sh install` command to restart the containers with the new port settings.
+
+3. After the script completes, you can access AliasVault at:
+  - Client: `https://localhost`
+  - Admin: `https://localhost/admin`
+
+---
+
+## 2. SSL configuration
+The default installation will create a self-signed SSL certificate and configure Nginx to use it.
+
+You can however also use Let's Encrypt to generate valid SSL certificates and configure Nginx to use it. In order to make this work you will need the following:
+
+- A public IPv4 address assigned to your server
+- Port 80 and 443 on your server must be open and accessible from the internet
+- A registered domain name with an A record pointing to your server's public IP address (e.g. mydomain.com)
+
+### Steps
+
+1. Run the install script with the `configure-ssl` option
+```bash
+./install.sh configure-ssl
+```
+2. Follow the prompts to configure Let's Encrypt.
+
+### Reverting to self-signed SSL
+If at any point you would like to revert to the self-signed SSL certificate, run the install script again with the `configure-ssl` option
+and then in the prompt choose option 2.
+
+---
+
+## 3. Email Server Setup
+
+AliasVault includes a built-in email server that can handle multiple custom domains for your aliases.
+
+To set up the email server, you need the following:
+- Public IPv4 address
+- Open ports (25 and 587) in server firewall for SMTP traffic
+- Access to DNS record management for your domain
+
+### a) DNS Configuration
+Configure the following DNS records for your domain:
+
+| Name | Type | Priority | Content                   | TTL |
+|------|------|----------|---------------------------|-----|
+| mail | A    |          | `<your-server-public-ip>` | 3600 |
+| @    | MX   | 10       | `mail.<your-domain>`      | 3600 |
+
+> Note: Replace `<your-server-public-ip>` and `<your-domain>` with your actual values.
+
+### b) Port Configuration
+The email server requires the following ports to be open:
+- Port 25: Standard SMTP (unencrypted)
+- Port 587: SMTP with STARTTLS (encrypted)
+
+#### Verifying Port Access
+You can test if the SMTP ports are correctly configured using telnet:
+
+```bash
+# Test standard SMTP port
+telnet <your-server-public-ip> 25
+
+# Test secure SMTP port
+telnet <your-server-public-ip> 587
+```
+
+If successful, you'll see a connection establishment message. Press Ctrl+C to exit the telnet session.
+
+### c) Setting Up Email Domains
+
+1. Run the email configuration script:
+  ```bash
+  ./install.sh configure-email
+  ````
+2. Follow the interactive prompts to:
+    - Configure your domain(s)
+    - Restart required services
+
+3. Once configured, you can:
+   - Create new aliases in the AliasVault client
+   - Use your custom domain(s) for email addresses
+     - Note: you can configure the default domain for new aliases in the AliasVault client in Menu > Settings > Email Settings > Default Email Domain
+   - Start receiving emails on your aliases
+
+{: .note }
+Important: DNS propagation can take up to 24-48 hours. During this time, email delivery might be inconsistent.
+
+If you encounter any issues, feel free to open an issue on the [GitHub repository](https://github.com/lanedirt/AliasVault/issues).
+
+---
+
+## 4. Configure Account Registration
+
+By default, AliasVault is configured to allow public registration of new accounts. This means that anyone can create a new account on your server.
+
+If you want to disable public registration, you can do so by running the install script with the `configure-registration` option and then choosing option 2.
+
+```bash
+./install.sh configure-registration
+```
+
+> Note: disabling public registration means the ability to create new accounts in the AliasVault client is disabled for everyone, including administrators. Accounts cannot be created outside of the client because of the end-to-end encryption employed by AliasVault. So make sure you have created your own account(s) before disabling public registration.
+
+---
+
+## 5. Troubleshooting
+
+### Resetting the admin password
+If you have lost your admin password, you can reset it by running the install script with the `reset-password` option. This will generate a new random password and update the .env file with it. After that it will restart the AliasVault containers to apply the changes.
+```bash
+./install.sh reset-password
+```
+
+### Verbose output
+If you need more detailed output from the install script, you can run it with the `--verbose` option. This will print more information to the console.
+```bash
+./install.sh install --verbose
+```
+
+### No emails being received
+If you are not receiving emails on your aliases, check the following:
+- Verify DNS records are correctly configured
+- Ensure ports 25 and 587 are accessible
+- Check your server's firewall settings
+- Verify that your ISP/hosting provider allows SMTP traffic

docs/installation/start-stop.md

@@ -0,0 +1,30 @@
+---
+layout: default
+title: Start/stop
+parent: Installation Guide
+nav_order: 2
+---
+
+# Starting and stopping AliasVault
+You can start and stop AliasVault easily by using the install script.
+
+## Stop
+To stop AliasVault, run the install script with the `stop` option. This will stop all running AliasVault containers.
+
+```bash
+./install.sh stop
+```
+
+## Start
+To start AliasVault, run the install script with the `start` option. This will start all AliasVault containers.
+
+```bash
+./install.sh start
+```
+
+## Restart
+To restart AliasVault, run the install script with the `restart` option. This will restart all AliasVault containers.
+
+```bash
+./install.sh restart
+```

docs/installation/uninstall.md

@@ -0,0 +1,19 @@
+---
+layout: default
+title: Uninstall
+parent: Installation Guide
+nav_order: 4
+---
+
+# Uninstall
+
+To uninstall AliasVault, run the install script with the `uninstall` option. This will stop and remove the AliasVault containers, remove the Docker images, and delete the .env file.
+
+{: .note }
+This will not delete any data stored in the database. If you wish to delete all data, you should manually delete the `database` directory and the other directories created by AliasVault.
+
+### Steps
+1. Run the install script with the `uninstall` option
+```bash
+./install.sh uninstall
+```

docs/installation/update/index.md

@@ -0,0 +1,60 @@
+---
+layout: default
+title: Update
+parent: Installation Guide
+nav_order: 3
+---
+
+# Updating AliasVault
+{: .no_toc }
+
+<details open markdown="block">
+  <summary>
+    Table of contents
+  </summary>
+  {: .text-delta }
+1. TOC
+{:toc}
+</details>
+
+## Before You Begin
+You can see the latest available version of AliasVault on [GitHub](https://github.com/lanedirt/AliasVault/releases).
+
+{: .warning }
+Before updating, it's recommended to backup your database and other important data. You can do this by making
+a copy of the `database` and `certificates` directories.
+
+## Standard Update Process
+For most version updates, you can use the standard update process:
+
+```bash
+./install.sh update
+```
+
+> Tip: to skip the confirmation prompts and automatically proceed with the update, use the `-y` flag: `./install.sh update -y`
+
+## Version-Specific Upgrade Guides
+Some versions require additional steps during upgrade. If you are upgrading from an older version, please check the relevant upgrade guide below:
+
+- [Updating to v0.10.0](v0-10-0.html) - SQLite to PostgreSQL migration
+
+## Additional Update Options
+
+### Updating the installer script
+The installer script can check for and apply updates to itself. This is done as part of the `update` command. However you can also update the installer script separately with the `update-installer` command. This is useful if you want to update the installer script without updating AliasVault itself, e.g. as a separate step during CI/CD pipeline.
+
+```bash
+./install.sh update-installer
+```
+
+> Tip: to skip the confirmation prompts and automatically proceed with the update, use the `-y` flag: `./install.sh update-installer -y`
+
+### Installing a specific version
+To install a specific version and skip the automatic version checks, run the install script with the `install` option and specify the version you want to install. Note that downgrading is not supported officially and may lead to unexpected issues.
+
+```bash
+./install.sh install <version>
+
+# Example:
+./install.sh install 0.7.0
+```

docs/installation/update/v0.10.0.md

@@ -0,0 +1,39 @@
+---
+layout: default
+title: Update to v0.10.0
+parent: Update
+grand_parent: Installation Guide
+nav_order: 1
+---
+
+# Upgrading to v0.10.0
+{: .no_toc }
+
+This guide covers the upgrade process from version < v0.10.0 to v0.10.0 or newer, which includes a one-time database migration from SQLite to PostgreSQL.
+
+The v0.10.0 release introduces a new database backend, PostgreSQL, which replaces SQLite. This change is required because SQLite is not suitable for environments with concurrent writes that AliasVault requires.
+
+A built-in database migration tool is included in the installer script to help you migrate your data from SQLite to PostgreSQL.
+
+## Update Steps
+
+1. First, backup your existing SQLite database:
+```bash
+cp database/AliasServerDb.sqlite database/AliasServerDb.sqlite.backup
+```
+2. Update AliasVault to the latest version:
+```bash
+./install.sh update
+```
+3. Run the database migration tool:
+```bash
+./install.sh migrate-db
+```
+4. After the migration has completed successfully, restart all AliasVault containers:
+```bash
+./install.sh restart
+```
+
+5. Test the upgrade by logging in to the admin panel and checking that your data is intact.
+
+If you encounter any issues during the upgrade, please create an issue on the [GitHub repository](https://github.com/lanedirt/AliasVault/issues) or contact via Discord.

docs/misc/configure-sqlite-wasm.md

@@ -1,18 +0,0 @@
-To configure SQLite for use with WebAssembly follow these steps:
-
-1. Add NuGet package
-```
-dotnet add package SQLitePCLRaw.bundle_e_sqlite3
-```
-
-2. Modify .csproj and add the following:
-```xml
-    <PropertyGroup>
-        <WasmBuildNative>true</WasmBuildNative>
-    </PropertyGroup>
-```
-
-3. Make sure the "wasm-tools" workload is installed on the local machine in order to build the project:
-```
-dotnet workload install wasm-tools
-```

docs/misc/dev/contributing.md

@@ -0,0 +1,114 @@
+---
+layout: default
+title: Contributing
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 1
+---
+
+# Contributing
+This document is a work-in-progress and will be expanded as time goes on. If you have any questions feel free to open a issue on GitHub.
+
+Note: all instructions below are based on MacOS. If you are using a different operating system, you may need to adjust the commands accordingly.
+
+## Getting Started
+In order to contribute to this project follow these instructions to setup your local environment:
+
+### 1. Clone the repository
+```bash
+git clone https://github.com/lanedirt/AliasVault.git
+cd AliasVault
+```
+
+### 2. Copy pre-commit hook script to .git/hooks directory
+{: .note }
+All commits in this repo are required to contain a reference to a GitHub issue in the format of "your commit message (#123)" where "123" references the GitHub issue number.
+
+The pre-commit hook script below will check the commit message before allowing the commit to proceed. If the commit message is invalid, the commit will be aborted.
+
+```bash
+# Copy the commit-msg hook script to the .git/hooks directory
+cp .github/hooks/commit-msg .git/hooks/commit-msg
+
+# Make the script executable
+chmod +x .git/hooks/commit-msg
+```
+
+### 3. Install the latest version of .NET SDK 9
+```bash
+# Install .NET SDK 9
+
+# On MacOS via brew:
+brew install --cask dotnet-sdk
+
+# On Windows via winget
+winget install Microsoft.DotNet.SDK.9
+```
+
+### 4. Install dotnet CLI EF Tools
+```bash
+# Install dotnet EF tools globally
+dotnet tool install --global dotnet-ef
+# Include dotnet tools in your PATH
+nano ~/.zshrc
+# Add the following line to your .zshrc file
+export PATH="$PATH:$HOME/.dotnet/tools"
+# Start a new terminal and test that this command works:
+dotnet ef
+```
+
+### 5. Install dev database
+AliasVault uses PostgreSQL as its database. In order to run the project locally from Visual Studio / Rider you will need to install the dev database. You can do this by running the following command. This will start a separate PostgreSQL instance on port 5433 accessible via the `localhost:5433` address.
+
+```bash
+./install.sh configure-dev-db
+```
+
+After the database is running you can start the project from Visual Studio / Rider in run or debug mode and it should be able to connect to the dev database.
+
+### 6. Run Tailwind CSS compiler when changing HTML files to update compiled CSS
+```bash
+# For Admin project (in the admin project directory)
+npm run build:admin-css
+# For Client project (in the client project directory)
+npm run build:client-css
+```
+
+### 7. Install Playwright in order to locally run NUnit E2E (end-to-end) tests
+```bash
+# First install PowerShell for Mac (if you don't have it already)
+brew install powershell/tap/powershell
+# Install Playwright
+dotnet tool install --global Microsoft.Playwright.CLI
+# Run Playwright install script to download local browsers
+# Note: make sure the E2E test project has been built at least once so the bin dir exists.
+pwsh src/Tests/AliasVault.E2ETests/bin/Debug/net9.0/playwright.ps1 install
+```
+
+### 8. Create AliasVault.Client appsettings.Development.json
+The WASM client app supports a development specific appsettings.json file. This appsettings file is optional but can override various options to make debugging easier.
+
+1. Copy `wwwroot/appsettings.json` to `wwwroot/appsettings.Development.json`
+
+Here is an example file with the various options explained:
+
+```json
+{
+    "ApiUrl": "http://localhost:5092",
+    "PrivateEmailDomains": ["example.tld"],
+    "SupportEmail": "support@example.tld",
+    "UseDebugEncryptionKey": "true",
+    "CryptographyOverrideType" : "Argon2Id",
+    "CryptographyOverrideSettings" : "{\"DegreeOfParallelism\":1,\"MemorySize\":1024,\"Iterations\":1}"
+}
+```
+
+- **UseDebugEncryptionKey**
+  - This setting will use a static encryption key so that if you login as a user you can refresh the page without needing to unlock the database again. This speeds up development when changing things in the WebApp WASM project. Note: the project needs to be run in "Development" mode for this setting to be used.
+
+- **CryptographyOverrideType**
+  - This setting allows overriding the default encryption type (Argon2id) with a different encryption type. This is useful for testing different encryption types without having to change code.
+
+- **CryptographyOverrideSettings**
+  - This setting allows overriding the default encryption settings (Argon2id) with different settings. This is useful for testing different encryption settings without having to change code. The default Argon2id settings are defined in the project as `Utilities/Cryptography/Cryptography.Client/Defaults.cs`. These default settings are focused on security but NOT performance. Normally for key derivation purposes the slower/heavier the algorithm the better protection against attackers. For production builds this is what we want, however in case of automated testing or debugging extra performance can be gained by tweaking (lowering) these settings.
+```

docs/misc/dev/enable-webauthn-pfr-chrome.md

@@ -0,0 +1,20 @@
+---
+layout: default
+title: Enable WebAuthn
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 9
+---
+
+# WebAuthn
+Webauthn allows to quick unlock the vault. This can be either the built-in browser authenticator or an external authenticator like a Yubikey.
+
+At the time of writing (2024-10-04), only some browsers support the required PRF extension. In order to make it work in Chrome, you need to enable the PRF extension in the browser settings.
+
+## Chrome
+
+1. Open the Chrome browser and navigate to `chrome://flags/#enable-experimental-web-platform-features`.
+2. Enable the `Experimental Web Platform features` flag.
+3. Restart the browser.
+4. Now it should be possible to use the built-in chrome password manager to unlock the vault.
+5. Go to Menu -> Security Settings -> Quick Vault Unlock and enable it.

docs/misc/dev/index.md

@@ -0,0 +1,6 @@
+---
+layout: default
+title: Development
+parent: Miscellaneous
+nav_order: 1
+---

docs/misc/dev/postgresql-commands.md

@@ -0,0 +1,51 @@
+---
+layout: default
+title: PostgreSQL Commands
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 2
+---
+
+# PostgreSQL Commands
+
+## Backup database to file
+To backup the database to a file, you can use the following command:
+
+```bash
+docker compose exec postgres pg_dump -U aliasvault aliasvault | gzip > aliasvault.sql.gz
+```
+
+## Import database from file
+To drop the existing database and restore the database from a file, you can use the following command:
+
+{: .warning }
+Executing this command will drop the existing database and restore the database from the file. Make sure to have a backup of the existing database before running this command.
+
+```bash
+docker compose exec postgres psql -U aliasvault postgres -c "DROP DATABASE aliasvault;" && \
+docker compose exec postgres psql -U aliasvault postgres -c "CREATE DATABASE aliasvault;" && \
+gunzip < aliasvault.sql.gz | docker compose exec -iT postgres psql -U aliasvault aliasvault
+```
+
+## Change master password
+By default during initial installation the PostgreSQL master password is set to a random string that is
+stored in the `.env` file with the `POSTGRES_PASSWORD` variable.
+
+If you wish to change the master password, you can do so by running the following command:
+
+1. Open a terminal and navigate to the root of the AliasVault repository.
+2. Run the following command to connect to the PostgreSQL container:
+    ```bash
+    docker compose exec -it postgres psql -U aliasvault -d aliasvault
+    ```
+3. Once connected to the database, you can change the master password by running the following command:
+    ```sql
+    ALTER USER aliasvault WITH PASSWORD 'new_password';
+    ```
+4. Press Enter to confirm the changes.
+5. Exit the PostgreSQL shell by running `\q`.
+6. Manually update the `.env` file variable `POSTGRES_PASSWORD` with the new password.
+7. Restart the AliasVault containers by running the following command:
+    ```bash
+    docker compose restart
+    ```

docs/misc/dev/run-github-actions-locally.md

@@ -0,0 +1,94 @@
+---
+layout: default
+title: Run GitHub Actions Locally
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 9
+---
+
+# Run GitHub Actions Locally
+
+This guide will help you set up and run GitHub Actions locally on Linux, which can be useful for debugging and testing your workflows without pushing changes to the repository.
+
+## Prerequisites
+
+- Linux (Ubuntu or RHEL-based distributions)
+- [Docker](https://www.docker.com/) installed and running
+
+## Setup Instructions
+
+### 1. Install GitHub CLI
+
+First, install the GitHub CLI using Homebrew:
+
+```bash
+sudo dnf install 'dnf-command(config-manager)'
+sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
+sudo dnf install gh --repo gh-cli
+```
+
+### 2. Install Nektos/Act
+
+Next, install the Nektos/Act extension for GitHub CLI:
+
+```bash
+gh extension install https://github.com/nektos/gh-act
+```
+
+## Basic usage
+
+To run GitHub Actions locally, navigate to the root of your Git project and execute:
+
+```bash
+act
+```
+
+This command will pull the necessary Docker containers and execute the GitHub Actions defined in your repository.
+
+### Understanding the `-P` Option
+
+By default, `act` uses a simple Docker container that is small in size. However, official GitHub runners are much larger (10GB or even 100GB+). When certain commands or environments are needed, you should specify the full runner image using the `-P` option.
+
+The `-P` option allows you to map the platform to a specific Docker image. This is particularly useful when you need to replicate the environment of the official GitHub runners more closely.
+
+Syntax:
+```bash
+act -P ubuntu-latest=catthehacker/ubuntu:full-latest
+```
+
+This command tells `act` to use the `catthehacker/ubuntu:full-latest` Docker image for the `ubuntu-latest` platform, which is a more complete representation of the GitHub-hosted runner environment.
+
+## Debugging E2E Tests for AliasVault
+
+To run and debug the E2E tests for AliasVault using a more complete runner image, use the following command:
+
+```bash
+act -W .github/workflows/dotnet-e2e-tests.yml -P ubuntu-latest=catthehacker/ubuntu:full-latest
+```
+
+This command does the following:
+- `-W .github/workflows/dotnet-e2e-tests.yml`: Specifies the workflow file to run
+- `-P ubuntu-latest=catthehacker/ubuntu:full-latest`: Uses a more complete Ubuntu image that better replicates the GitHub-hosted runner environment
+
+Running this command will execute the E2E tests locally, allowing you to debug and test your workflow without pushing changes to the repository.
+
+```bash
+docker image prune -a -f && docker system prune -a -f
+```
+
+## Troubleshooting
+
+### Handling Disk Space Errors
+
+If you encounter disk space errors, you can free up space by pruning Docker images and system resources:
+
+### Misc
+
+If you encounter any issues while running GitHub Actions locally, consider the following:
+
+1. Ensure Docker is running and has sufficient resources allocated.
+2. Check that your workflow file is correctly formatted and placed in the `.github/workflows/` directory.
+3. Verify that all required secrets and environment variables are properly set.
+4. If you're using specific tools or commands that are available in GitHub-hosted runners but not in the default `act` image, make sure to use the `-P` option with an appropriate image as shown in the E2E tests example.
+
+For more detailed information and advanced usage, refer to the [Nektos/Act GitHub repository](https://github.com/nektos/act).

docs/misc/dev/upgrade-ef-client-model.md

@@ -1,3 +1,13 @@
+---
+layout: default
+title: Upgrade the AliasClientDb EF model
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 3
+---
+
+# Upgrade the AliasClientDb EF model
+
 To upgrade the AliasClientDb EF model, follow these steps:
 
 1. Make changes to the AliasClientDb EF model in the `AliasClientDb` project.
@@ -9,4 +19,4 @@ To upgrade the AliasClientDb EF model, follow these steps:
 dotnet ef migrations add "1.0.0-<migration-name>"
 ```
 4. On the next login of a user, they will be prompted (required) to upgrade their database schema to the latest version.
-Make sure to manually test this.
+Make sure to manually test that the migration works as expected.

docs/misc/dev/upgrade-ef-server-model.md

@@ -0,0 +1,22 @@
+---
+layout: default
+title: Upgrade the AliasServerDb EF model
+parent: Development
+grand_parent: Miscellaneous
+nav_order: 3
+---
+
+# Upgrade the AliasServerDb EF model
+
+The AliasServerDb EF model has migrations for both the SQLite and PostgreSQL databases. This means
+that when you make changes to the EF model, you need to create migrations for both databases.
+
+1. Make migration for PostgreSQL database:
+```bash
+dotnet ef migrations add InitialMigration --context AliasServerDbContextPostgresql --output-dir Migrations/PostgresqlMigrations
+```
+
+2. Make migration for SQLite database:
+```bash
+dotnet ef migrations add InitialMigration --context AliasServerDbContextSqlite --output-dir Migrations/SqliteMigrations
+```

docs/misc/index.md

@@ -0,0 +1,10 @@
+---
+layout: default
+title: Miscellaneous
+has_children: true
+nav_order: 99
+---
+
+# Miscellaneous
+
+Miscellaneous guides and documentation.

docs/misc/release/create-new-release.md

@@ -0,0 +1,29 @@
+---
+layout: default
+title: Create a new release
+parent: Release
+grand_parent: Miscellaneous
+nav_order: 1
+---
+
+# Release Preparation Checklist
+
+Follow the steps in the checklist below to prepare a new release.
+
+## Versioning
+- [ ] Update ./src/Shared/AliasVault.Shared.Core/AppInfo.cs and update major/minor/patch to the new version. This version will be shown in the client and admin app footer.
+- [ ] Update ./install.sh `@version` in header if the install script has changed. This allows the install script to self-update when running the `./install.sh update` command on default installations.
+- [ ] Update README.md install.sh download link to point to the new release version
+
+## Docker Images
+If docker containers have been added or removed:
+- [ ] Verify that `.github/workflows/publish-docker-images.yml` contains references to all docker images that need to be published.
+- [ ] Update `install.sh` and verify that the `images=()` array that takes care of pulling the images from the GitHub Container Registry is updated.
+
+## Manual Testing (since v0.10.0+)
+- [ ] Verify that the db migration from SQLite to PostgreSQL works. This needs to be tested manually until the SQLite support is removed. Test with: `./install.sh db-migrate` on an existing installation that has a SQLite database in `./database/AliasServerDb.sqlite`.
+
+## Documentation
+- [ ] Update /docs instructions if any changes have been made to the setup process
+- [ ] Update README screenshots if applicable
+- [ ] Update README current/upcoming features

docs/misc/release/index.md

@@ -0,0 +1,6 @@
+---
+layout: default
+title: Release
+parent: Miscellaneous
+nav_order: 1
+---

entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Create SSL directory if it doesn't exist
+mkdir -p /etc/nginx/ssl
+
+# Generate self-signed SSL certificate if not exists
+if [ ! -f /etc/nginx/ssl/cert.pem ] || [ ! -f /etc/nginx/ssl/key.pem ]; then
+    echo "Generating new SSL certificate..."
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/nginx/ssl/key.pem \
+        -out /etc/nginx/ssl/cert.pem \
+        -subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
+
+    # Set proper permissions
+    chmod 644 /etc/nginx/ssl/cert.pem
+    chmod 600 /etc/nginx/ssl/key.pem
+fi
+
+# Create the appropriate SSL configuration based on LETSENCRYPT_ENABLED
+if [ "${LETSENCRYPT_ENABLED}" = "true" ]; then
+    cat > /etc/nginx/ssl.conf << EOF
+    ssl_certificate /etc/nginx/ssl-letsencrypt/live/${HOSTNAME}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl-letsencrypt/live/${HOSTNAME}/privkey.pem;
+EOF
+else
+    cat > /etc/nginx/ssl.conf << EOF
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+EOF
+fi
+
+# Start nginx
+nginx -g "daemon off;"

init.sh

@@ -1,78 +0,0 @@
-#!/bin/sh
-
-# Define colors for CLI output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[0;33m'
-BLUE='\033[0;34m'
-MAGENTA='\033[0;35m'
-CYAN='\033[0;36m'
-NC='\033[0m' # No Color
-
-# Define the path to the .env and .env.example files
-ENV_FILE=".env"
-ENV_EXAMPLE_FILE=".env.example"
-
-# Function to generate a new 32-character JWT key
-generate_jwt_key() {
-  dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | head -c 32
-}
-
-# Function to create .env file from .env.example if it doesn't exist
-create_env_file() {
-  if [ ! -f "$ENV_FILE" ]; then
-    if [ -f "$ENV_EXAMPLE_FILE" ]; then
-      cp "$ENV_EXAMPLE_FILE" "$ENV_FILE"
-      printf "${GREEN}> .env file created from .env.example.${NC}\n"
-    else
-      touch "$ENV_FILE"
-      printf "${YELLOW}> .env file created as empty because .env.example was not found.${NC}\n"
-    fi
-  else
-    printf "${CYAN}> .env file already exists.${NC}\n"
-  fi
-}
-
-# Function to check and populate the .env file with JWT_KEY
-populate_jwt_key() {
-  if ! grep -q "^JWT_KEY=" "$ENV_FILE" || [ -z "$(grep "^JWT_KEY=" "$ENV_FILE" | cut -d '=' -f2)" ]; then
-    printf "${YELLOW}JWT_KEY not found or empty in $ENV_FILE. Generating a new JWT key...${NC}\n"
-    JWT_KEY=$(generate_jwt_key)
-    if grep -q "^JWT_KEY=" "$ENV_FILE"; then
-      awk -v key="$JWT_KEY" '/^JWT_KEY=/ {$0="JWT_KEY="key} 1' "$ENV_FILE" > "$ENV_FILE.tmp" && mv "$ENV_FILE.tmp" "$ENV_FILE"
-    else
-      printf "JWT_KEY=${JWT_KEY}" >> "$ENV_FILE\n"
-    fi
-    printf "${GREEN}> JWT_KEY has been added to $ENV_FILE.${NC}\n"
-  else
-    printf "${CYAN}> JWT_KEY already exists and has a value in $ENV_FILE.${NC}\n"
-  fi
-}
-
-# Function to print the CLI logo
-print_logo() {
-  printf "${MAGENTA}\n"
-  printf "=========================================================\n"
-  printf "           _ _        __      __         _ _   \n"
-  printf "     /\   | (_)       \ \    / /        | | |  \n"
-  printf "    /  \  | |_  __ _ __\ \  / /_ _ _   _| | |_\n"
-  printf "   / /\ \ | | |/ _  / __\ \/ / _  | | | | | __|\n"
-  printf "  / ____ \| | | (_| \__ \\   / (_| | |_| | | |_ \n"
-  printf " /_/    \_\_|_|\__,_|___/ \/ \__,_|\__,_|_|\__|\n"
-  printf "\n"
-  printf "=========================================================\n"
-  printf "${NC}\n"
-}
-
-# Run the functions and print status
-print_logo
-printf "${BLUE}Initializing AliasVault...${NC}\n"
-create_env_file
-populate_jwt_key
-printf "${BLUE}Initialization complete.${NC}\n"
-printf "\n"
-printf "To build the images and start the containers, run the following command:\n"
-printf "\n"
-printf "${CYAN}$ docker compose up -d --build --force-recreate${NC}\n"
-printf "\n"
-printf "\n"

nginx.conf

@@ -0,0 +1,100 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    upstream client {
+        server client:3000;
+    }
+
+    upstream api {
+        server api:3001;
+    }
+
+    upstream admin {
+        server admin:3002;
+    }
+
+    # Preserve any existing X-Forwarded-* headers, this is relevant if AliasVault
+    # is running behind another reverse proxy.
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 172.16.0.0/12;
+    set_real_ip_from 192.168.0.0/16;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Enable gzip compression, which reduces the amount of data that needs to be transferred
+    # to speed up WASM load times.
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    server {
+        listen 80;
+        server_name _;
+
+        # Handle ACME challenge for Let's Encrypt certificate validation
+        location /.well-known/acme-challenge/ {
+            allow all;
+            root /var/www/certbot;
+            try_files $uri =404;
+            default_type "text/plain";
+            add_header Cache-Control "no-cache";
+            break;
+        }
+
+        # Redirect all other HTTP traffic to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name _;
+
+        # Include the appropriate SSL certificate configuration generated
+        # by the entrypoint script.
+        include /etc/nginx/ssl.conf;
+
+        # Admin interface
+        location /admin {
+            proxy_pass http://admin;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            # Add WebSocket support for Blazor server
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 86400;
+        }
+
+        # API endpoints
+        location /api {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        # Client app (root path)
+        location / {
+            proxy_pass http://client;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+}

src/AliasGenerators/Identity/Implementations/FigIdentityGenerator.cs

@@ -1,39 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="FigIdentityGenerator.cs" company="lanedirt">
-// Copyright (c) lanedirt. All rights reserved.
-// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
-// </copyright>
-//-----------------------------------------------------------------------
-namespace AliasGenerators.Identity.Implementations;
-
-using System.Text.Json;
-
-/// <summary>
-/// Identity generator which generates random identities using the identiteitgenerator.nl semi-public API.
-/// </summary>
-public class FigIdentityGenerator : IIdentityGenerator
-{
-    private static readonly HttpClient HttpClient = new();
-    private static readonly string Url = "https://api.identiteitgenerator.nl/generate/identity";
-    private static readonly JsonSerializerOptions JsonSerializerOptions = new()
-    {
-        PropertyNameCaseInsensitive = true,
-    };
-
-    /// <inheritdoc/>
-    public async Task<Identity.Models.Identity> GenerateRandomIdentityAsync()
-    {
-        var response = await HttpClient.GetAsync(Url);
-        response.EnsureSuccessStatusCode();
-
-        var json = await response.Content.ReadAsStringAsync();
-        var identity = JsonSerializer.Deserialize<Identity.Models.Identity>(json, JsonSerializerOptions);
-
-        if (identity is null)
-        {
-            throw new InvalidOperationException("Failed to deserialize the identity from FIG WebApi.");
-        }
-
-        return identity;
-    }
-}

src/AliasGenerators/Identity/Implementations/StaticIdentityGenerator.cs

@@ -1,27 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="StaticIdentityGenerator.cs" company="lanedirt">
-// Copyright (c) lanedirt. All rights reserved.
-// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
-// </copyright>
-//-----------------------------------------------------------------------
-namespace AliasGenerators.Identity.Implementations;
-
-using AliasGenerators.Identity;
-
-/// <summary>
-/// Static identity generator which implements IIdentityGenerator but always returns
-/// the same static identity for testing purposes.
-/// </summary>
-public class StaticIdentityGenerator : IIdentityGenerator
-{
-    /// <inheritdoc/>
-    public async Task<Identity.Models.Identity> GenerateRandomIdentityAsync()
-    {
-        await Task.Yield(); // Add an await statement to make the method truly asynchronous.
-        return new Identity.Models.Identity
-        {
-            FirstName = "John",
-            LastName = "Doe",
-        };
-    }
-}

src/AliasGenerators/Identity/Models/Identity.cs

@@ -1,88 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="Identity.cs" company="lanedirt">
-// Copyright (c) lanedirt. All rights reserved.
-// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
-// </copyright>
-//-----------------------------------------------------------------------
-namespace AliasGenerators.Identity.Models;
-
-/// <summary>
-/// Identity model.
-/// </summary>
-public class Identity
-{
-    /// <summary>
-    /// Gets or sets the id.
-    /// </summary>
-    public string Id { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the gender.
-    /// </summary>
-    public int Gender { get; set; }
-
-    /// <summary>
-    /// Gets or sets the first name.
-    /// </summary>
-    public string FirstName { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the last name.
-    /// </summary>
-    public string LastName { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the nickname. This is also used as the username.
-    /// </summary>
-    public string NickName { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the birth date.
-    /// </summary>
-    public DateTime BirthDate { get; set; }
-
-    /// <summary>
-    /// Gets or sets the address.
-    /// </summary>
-    public Address Address { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the job.
-    /// </summary>
-    public Job Job { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the hobbies.
-    /// </summary>
-    public List<string> Hobbies { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the email address prefix.
-    /// </summary>
-    public string EmailPrefix { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the password.
-    /// </summary>
-    public string Password { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the phone mobile.
-    /// </summary>
-    public string PhoneMobile { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the bank account IBAN.
-    /// </summary>
-    public string BankAccountIBAN { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the profile photo in base64 format.
-    /// </summary>
-    public string ProfilePhotoBase64 { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the profile photo prompt.
-    /// </summary>
-    public string ProfilePhotoPrompt { get; set; } = null!;
-}

src/AliasGenerators/Identity/Models/Job.cs

@@ -1,38 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="Job.cs" company="lanedirt">
-// Copyright (c) lanedirt. All rights reserved.
-// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
-// </copyright>
-//-----------------------------------------------------------------------
-namespace AliasGenerators.Identity.Models;
-
-/// <summary>
-/// Job model.
-/// </summary>
-public class Job
-{
-    /// <summary>
-    /// Gets or sets the title.
-    /// </summary>
-    public string Title { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the company.
-    /// </summary>
-    public string Company { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the salary.
-    /// </summary>
-    public string Salary { get; set; } = null!;
-
-    /// <summary>
-    /// Gets or sets the calculated salary.
-    /// </summary>
-    public decimal SalaryCalculated { get; set; }
-
-    /// <summary>
-    /// Gets or sets the description.
-    /// </summary>
-    public string Description { get; set; } = null!;
-}

src/AliasVault.Admin/AliasVault.Admin.csproj

@@ -0,0 +1,54 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+    <PropertyGroup>
+        <TargetFramework>net9.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <UserSecretsId>aspnet-AliasVault.Admin-1DAADE35-C01B-43BB-B440-AA5E1E0B672D</UserSecretsId>
+        <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
+        <NoWarn>1701;1702;NU1900</NoWarn>
+        <LangVersion>13</LangVersion>
+    </PropertyGroup>
+
+    <PropertyGroup Condition=" '$(Configuration)' == 'Debug' ">
+      <DocumentationFile>bin\Debug\net9.0\AliasVault.Admin.xml</DocumentationFile>
+      <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    </PropertyGroup>
+
+    <PropertyGroup Condition=" '$(Configuration)' == 'Release' ">
+      <DocumentationFile>bin\Release\net9.0\AliasVault.Admin.xml</DocumentationFile>
+      <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="9.0.1" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.0">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+        <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+      <Content Include="..\..\.dockerignore">
+        <Link>.dockerignore</Link>
+      </Content>
+    </ItemGroup>
+
+    <ItemGroup>
+        <AdditionalFiles Include="..\stylecop.json" Link="stylecop.json" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\Databases\AliasServerDb\AliasServerDb.csproj" />
+      <ProjectReference Include="..\Shared\AliasVault.RazorComponents\AliasVault.RazorComponents.csproj" />
+      <ProjectReference Include="..\Shared\AliasVault.Shared.Core\AliasVault.Shared.Core.csproj" />
+      <ProjectReference Include="..\Shared\AliasVault.Shared.Server\AliasVault.Shared.Server.csproj" />
+      <ProjectReference Include="..\Utilities\AliasVault.Auth\AliasVault.Auth.csproj" />
+      <ProjectReference Include="..\Utilities\AliasVault.Logging\AliasVault.Logging.csproj" />
+      <ProjectReference Include="..\Utilities\Cryptography\AliasVault.Cryptography.Server\AliasVault.Cryptography.Server.csproj" />
+    </ItemGroup>
+</Project>

src/AliasVault.Admin/Auth/Components/InputTextField.razor

@@ -12,30 +12,36 @@
     /// <summary>
     /// Gets or sets the ID of the input field.
     /// </summary>
-    [Parameter] public string Id { get; set; } = null!;
+    [Parameter]
+    public required string Id { get; set; }
 
     /// <summary>
     /// Gets or sets the value of the input field.
     /// </summary>
-    [Parameter] public string Value { get; set; } = null!;
+    [Parameter]
+    public required string Value { get; set; }
 
     /// <summary>
     /// Gets or sets the event callback that is triggered when the value changes.
     /// </summary>
-    [Parameter] public EventCallback<string?> ValueChanged { get; set; }
+    [Parameter]
+    public required EventCallback<string?> ValueChanged { get; set; }
 
     /// <summary>
     /// Gets or sets the expression that identifies the value property.
     /// </summary>
-    [Parameter] public Expression<Func<string>> ValueExpression { get; set; } = null!;
+    [Parameter]
+    public required Expression<Func<string>> ValueExpression { get; set; }
 
     /// <summary>
     /// Gets or sets the placeholder text for the input field.
     /// </summary>
-    [Parameter] public string Placeholder { get; set; } = null!;
+    [Parameter]
+    public required string Placeholder { get; set; }
 
     /// <summary>
     /// Gets or sets additional attributes for the input field.
     /// </summary>
-    [Parameter(CaptureUnmatchedValues = true)] public Dictionary<string, object?>? AdditionalAttributes { get; set; } = new();
+    [Parameter(CaptureUnmatchedValues = true)]
+    public Dictionary<string, object?>? AdditionalAttributes { get; set; } = new();
 }

src/AliasVault.Admin/Auth/Components/Logo.razor

@@ -0,0 +1,10 @@
+@using AliasVault.Admin.Services
+@inject NavigationService NavigationService
+
+<a href="@NavigationService.BaseUri">
+    <div class="text-5xl font-bold text-gray-900 dark:text-white mb-4 flex items-center">
+        <img src="img/logo.svg" alt="AliasVault" class="w-20 h-20 mr-2" />
+        <span>AliasVault</span>
+        <span class="ps-2 self-center hidden sm:flex text-lg font-bold whitespace-nowrap text-white bg-red-600 rounded-full px-2 py-1 ml-2">Admin</span>
+    </div>
+</a>

src/AliasVault.Admin/Auth/Layout/AuthLayout.razor

@@ -0,0 +1,36 @@
+@inherits LayoutComponentBase
+@using AliasVault.Admin.Auth.Components
+@implements IDisposable
+@inject NavigationManager NavigationManager
+
+<div class="flex flex-col items-center justify-center px-6 pt-8 mx-auto md:h-screen pt:mt-0 dark:bg-gray-900">
+    <Logo />
+    <div class="w-full max-w-xl p-6 space-y-4 sm:p-8 bg-white rounded-lg shadow dark:bg-gray-800">
+        @Body
+    </div>
+</div>
+
+<div id="blazor-error-ui">
+    An unhandled error has occurred.
+    <a href="" class="reload">Reload</a>
+    <a class="dismiss">🗙</a>
+</div>
+
+@code {
+    /// <inheritdoc />
+    public void Dispose()
+    {
+        NavigationManager.LocationChanged -= OnLocationChanged;
+    }
+
+    /// <inheritdoc />
+    protected override void OnInitialized()
+    {
+        NavigationManager.LocationChanged += OnLocationChanged;
+    }
+
+    private void OnLocationChanged(object? sender, LocationChangedEventArgs e)
+    {
+        StateHasChanged();
+    }
+}

src/AliasVault.Admin/Auth/Layout/AuthLayout.razor.css

@@ -0,0 +1,18 @@
+#blazor-error-ui {
+    background: lightyellow;
+    bottom: 0;
+    box-shadow: 0 -1px 2px rgba(0, 0, 0, 0.2);
+    display: none;
+    left: 0;
+    padding: 0.6rem 1.25rem 0.7rem 1.25rem;
+    position: fixed;
+    width: 100%;
+    z-index: 1000;
+}
+
+#blazor-error-ui .dismiss {
+    cursor: pointer;
+    position: absolute;
+    right: 0.75rem;
+    top: 0.5rem;
+}

src/AliasVault.Admin/Auth/Pages/AuthBase.cs

@@ -0,0 +1,78 @@
+//-----------------------------------------------------------------------
+// <copyright file="AuthBase.cs" company="lanedirt">
+// Copyright (c) lanedirt. All rights reserved.
+// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace AliasVault.Admin.Auth.Pages;
+
+using AliasServerDb;
+using AliasVault.Admin.Main.Components.Alerts;
+using AliasVault.Admin.Services;
+using AliasVault.Auth;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Identity;
+
+/// <summary>
+/// Base auth page that all pages that are part of the auth (non-logged in part of website) should inherit from.
+/// All pages that inherit from this class will require the user to be logged out. If user is logged in they
+/// are automatically redirected to index page.
+/// </summary>
+public class AuthBase : OwningComponentBase
+{
+    /// <summary>
+    /// Gets or sets the logger.
+    /// </summary>
+    [Inject]
+    protected ILogger<Login> Logger { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets the navigation service.
+    /// </summary>
+    [Inject]
+    protected NavigationService NavigationService { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets the sign in manager.
+    /// </summary>
+    [Inject]
+    protected SignInManager<AdminUser> SignInManager { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets the user manager.
+    /// </summary>
+    [Inject]
+    protected UserManager<AdminUser> UserManager { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets the authentication state provider.
+    /// </summary>
+    [Inject]
+    protected AuthenticationStateProvider AuthenticationStateProvider { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets the auth logging service.
+    /// </summary>
+    [Inject]
+    protected AuthLoggingService AuthLoggingService { get; set; } = null!;
+
+    /// <summary>
+    /// Gets or sets object which holds server validation errors to show in the UI.
+    /// </summary>
+    protected ServerValidationErrors ServerValidationErrors { get; set; } = new();
+
+    /// <inheritdoc />
+    protected override async Task OnInitializedAsync()
+    {
+        var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
+        var user = authState.User;
+
+        // Redirect to home if the user is already authenticated
+        if (SignInManager.IsSignedIn(user))
+        {
+            NavigationService.RedirectTo("./");
+        }
+    }
+}

src/AliasVault.Admin/Auth/Pages/ForgotPassword.razor

@@ -0,0 +1,8 @@
+@page "/user/forgot-password"
+
+<LayoutPageTitle>Forgot your password?</LayoutPageTitle>
+
+<h2 class="text-2xl font-bold text-gray-900 dark:text-white mb-2">
+    Forgot your password?
+</h2>
+<p class="text-sm text-gray-500 dark:text-gray-400">If you have forgotten your password, contact the server admin or consult the AliasVault documentation on how to reset your password.</p>

src/AliasVault.Admin/Auth/Pages/Lockout.razor

@@ -0,0 +1,8 @@
+@page "/user/lockout"
+
+<LayoutPageTitle>Locked out</LayoutPageTitle>
+
+<h2 class="text-2xl font-bold text-gray-900 dark:text-white mb-2">
+    Locked out
+</h2>
+<p class="text-sm text-gray-500 dark:text-gray-400">You have entered an incorrect password too many times and your account has now been locked out. You can try again in 30 minutes.</p>

src/AliasVault.Admin/Auth/Pages/Login.razor

@@ -0,0 +1,111 @@
+@page "/user/login"
+@using AliasVault.Shared.Models.Enums
+
+<LayoutPageTitle>Log in</LayoutPageTitle>
+
+<h2 class="text-2xl font-bold text-gray-900 dark:text-white">
+    Sign in to AliasVault Admin
+</h2>
+
+<ServerValidationErrors @ref="ServerValidationErrors" />
+
+<EditForm Model="Input" FormName="LoginForm" OnValidSubmit="LoginUser" class="mt-8 space-y-6">
+    <DataAnnotationsValidator/>
+    <div>
+        <label asp-for="Input.UserName" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your username</label>
+        <InputTextField id="username" @bind-Value="Input.UserName" placeholder="username" />
+        <ValidationMessage For="() => Input.UserName"/>
+    </div>
+    <div>
+        <label asp-for="Input.Password" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your password</label>
+        <InputTextField id="password" @bind-Value="Input.Password" type="password" placeholder="••••••••" />
+        <ValidationMessage For="() => Input.Password"/>
+    </div>
+
+    <div class="flex items-start">
+        <div class="flex items-center h-5">
+            <input id="remember" aria-describedby="remember" name="remember" type="checkbox" class="w-4 h-4 border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-primary-300 dark:focus:ring-primary-600 dark:ring-offset-gray-800 dark:bg-gray-700 dark:border-gray-600">
+        </div>
+        <div class="ml-3 text-sm">
+            <label for="remember" class="font-medium text-gray-900 dark:text-white">Remember me</label>
+        </div>
+        <a href="user/forgot-password" class="ml-auto text-sm text-primary-700 hover:underline dark:text-primary-500">Lost Password?</a>
+    </div>
+
+    <button type="submit" class="w-full px-5 py-3 text-base font-medium text-center text-white bg-primary-700 rounded-lg hover:bg-primary-800 focus:ring-4 focus:ring-primary-300 sm:w-auto dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">Login to your account</button>
+</EditForm>
+
+
+@code {
+    [CascadingParameter] private HttpContext HttpContext { get; set; } = default!;
+
+    [SupplyParameterFromForm] private InputModel Input { get; set; } = new();
+
+    [SupplyParameterFromQuery] private string? ReturnUrl { get; set; }
+
+    /// <inheritdoc />
+    protected override async Task OnInitializedAsync()
+    {
+        await base.OnInitializedAsync();
+        if (HttpMethods.IsGet(HttpContext.Request.Method))
+        {
+            // Clear the existing external cookie to ensure a clean login process
+            await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
+        }
+    }
+
+    /// <summary>
+    /// Logs in the user.
+    /// </summary>
+    protected async Task LoginUser()
+    {
+        ServerValidationErrors.Clear();
+
+        var user = await UserManager.FindByNameAsync(Input.UserName);
+        if (user == null)
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(Input.UserName, AuthEventType.Login, AuthFailureReason.InvalidUsername);
+            ServerValidationErrors.AddError("Error: Invalid login attempt.");
+            return;
+        }
+
+        var result = await SignInManager.PasswordSignInAsync(Input.UserName, Input.Password, Input.RememberMe, lockoutOnFailure: true);
+        if (result.Succeeded)
+        {
+            await AuthLoggingService.LogAuthEventSuccessAsync(Input.UserName, AuthEventType.Login);
+            Logger.LogInformation("User logged in.");
+            NavigationService.RedirectTo(ReturnUrl ?? "./");
+        }
+        else if (result.RequiresTwoFactor)
+        {
+            await AuthLoggingService.LogAuthEventSuccessAsync(Input.UserName, AuthEventType.Login);
+            NavigationService.RedirectTo(
+                "user/loginWith2fa",
+                new Dictionary<string, object?> { ["returnUrl"] = ReturnUrl, ["rememberMe"] = Input.RememberMe });
+        }
+        else if (result.IsLockedOut)
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(Input.UserName, AuthEventType.Login, AuthFailureReason.AccountLocked);
+            Logger.LogWarning("User account locked out.");
+            NavigationService.RedirectTo("user/lockout");
+        }
+        else
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(Input.UserName, AuthEventType.Login, AuthFailureReason.InvalidPassword);
+            ServerValidationErrors.AddError("Error: Invalid login attempt.");
+        }
+    }
+
+    private sealed class InputModel
+    {
+        [Required] public string UserName { get; set; } = "";
+
+        [Required]
+        [DataType(DataType.Password)]
+        public string Password { get; set; } = "";
+
+        [Display(Name = "Remember me?")]
+        public bool RememberMe { get; set; } = true;
+    }
+
+}

src/AliasVault.Admin/Auth/Pages/LoginWith2fa.razor

@@ -0,0 +1,105 @@
+@page "/user/loginWith2fa"
+@using AliasVault.Shared.Models.Enums
+
+<LayoutPageTitle>Two-factor authentication</LayoutPageTitle>
+
+<h2 class="text-2xl font-bold text-gray-900 dark:text-white mb-4">
+    Two-factor authentication
+</h2>
+
+<ServerValidationErrors @ref="ServerValidationErrors" />
+
+<p class="text-gray-700 dark:text-gray-300 mb-6">Your login is protected with an authenticator app. Enter your authenticator code below.</p>
+<div class="w-full max-w-md">
+    <EditForm Model="Input" FormName="login-with-2fa" OnValidSubmit="OnValidSubmitAsync" method="post" class="space-y-6">
+        <input type="hidden" name="ReturnUrl" value="@ReturnUrl"/>
+        <input type="hidden" name="RememberMe" value="@RememberMe"/>
+        <DataAnnotationsValidator/>
+        <ValidationSummary class="text-red-600 dark:text-red-400" role="alert"/>
+        <div>
+            <label for="two-factor-code" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Authenticator code</label>
+            <InputText @bind-Value="Input.TwoFactorCode" id="two-factor-code" class="bg-gray-50 border border-gray-300 text-gray-900 sm:text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-blue-500 dark:focus:border-blue-500" autocomplete="off"/>
+            <ValidationMessage For="() => Input.TwoFactorCode" class="text-red-600 dark:text-red-400 text-sm mt-1"/>
+        </div>
+        <div class="flex items-start">
+            <div class="flex items-center h-5">
+                <InputCheckbox @bind-Value="Input.RememberMachine" id="remember-machine" class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-primary-300 dark:bg-gray-700 dark:border-gray-600 dark:focus:ring-primary-600 dark:ring-offset-gray-800"/>
+            </div>
+            <div class="ml-3 text-sm">
+                <label for="remember-machine" class="font-medium text-gray-900 dark:text-white">Remember this machine</label>
+            </div>
+        </div>
+        <button type="submit" class="w-full text-white bg-primary-600 hover:bg-primary-700 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">Log in</button>
+    </EditForm>
+</div>
+<p class="mt-6 text-sm text-gray-700 dark:text-gray-300">
+    Don't have access to your authenticator device? You can
+    <a href="user/loginWithRecoveryCode?ReturnUrl=@ReturnUrl" class="text-primary-600 hover:underline dark:text-primary-500">log in with a recovery code</a>.
+</p>
+
+@code {
+    private AdminUser user = default!;
+
+    [SupplyParameterFromForm]
+    private InputModel Input { get; set; } = new();
+
+    [SupplyParameterFromQuery]
+    private string? ReturnUrl { get; set; }
+
+    [SupplyParameterFromQuery]
+    private bool RememberMe { get; set; }
+
+    /// <inheritdoc />
+    protected override async Task OnInitializedAsync()
+    {
+        await base.OnInitializedAsync();
+
+        // Ensure the user has gone through the username & password screen first
+        user = await SignInManager.GetTwoFactorAuthenticationUserAsync() ??
+               throw new InvalidOperationException("Unable to load two-factor authentication user.");
+    }
+
+    /// <summary>
+    /// Submits the form.
+    /// </summary>
+    private async Task OnValidSubmitAsync()
+    {
+        ServerValidationErrors.Clear();
+
+        var authenticatorCode = Input.TwoFactorCode!.Replace(" ", string.Empty).Replace("-", string.Empty);
+        var result = await SignInManager.TwoFactorAuthenticatorSignInAsync(authenticatorCode, RememberMe, Input.RememberMachine);
+        var userId = await UserManager.GetUserIdAsync(user);
+
+        if (result.Succeeded)
+        {
+            await AuthLoggingService.LogAuthEventSuccessAsync(user.UserName!, AuthEventType.TwoFactorAuthentication);
+            Logger.LogInformation("User with ID '{UserId}' logged in with 2fa.", userId);
+            NavigationService.RedirectTo(ReturnUrl);
+        }
+        else if (result.IsLockedOut)
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(user.UserName!, AuthEventType.TwoFactorAuthentication, AuthFailureReason.AccountLocked);
+            Logger.LogWarning("User with ID '{UserId}' account locked out.", userId);
+            NavigationService.RedirectTo("user/lockout");
+        }
+        else
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(user.UserName!, AuthEventType.TwoFactorAuthentication, AuthFailureReason.InvalidTwoFactorCode);
+            Logger.LogWarning("Invalid authenticator code entered for user with ID '{UserId}'.", userId);
+            ServerValidationErrors.AddError("Error: Invalid authenticator code.");
+        }
+    }
+
+    private sealed class InputModel
+    {
+        [Required]
+        [StringLength(7, ErrorMessage = "The {0} must be at least {2} and at max {1} characters long.", MinimumLength = 6)]
+        [DataType(DataType.Text)]
+        [Display(Name = "Authenticator code")]
+        public string? TwoFactorCode { get; set; }
+
+        [Display(Name = "Remember this machine")]
+        public bool RememberMachine { get; set; }
+    }
+
+}

src/AliasVault.Admin/Auth/Pages/LoginWithRecoveryCode.razor

@@ -0,0 +1,83 @@
+@page "/user/loginWithRecoveryCode"
+@using AliasVault.Shared.Models.Enums
+
+<LayoutPageTitle>Recovery code verification</LayoutPageTitle>
+
+<h2 class="text-2xl font-bold text-gray-900 dark:text-white mb-4">
+    Recovery code verification
+</h2>
+
+<ServerValidationErrors @ref="ServerValidationErrors" />
+
+<p class="text-gray-700 dark:text-gray-300 mb-6">
+    You have requested to log in with a recovery code. A recovery code is a one-time code that can be used to log in to your account.
+    Note that if you don't manually disable 2FA after login, you will be asked for an authenticator code again at the next login.
+</p>
+<div class="w-full max-w-md">
+    <EditForm Model="Input" FormName="login-with-recovery-code" OnValidSubmit="OnValidSubmitAsync" method="post" class="space-y-6">
+        <DataAnnotationsValidator/>
+        <ValidationSummary class="text-red-600 dark:text-red-400" role="alert"/>
+        <div>
+            <label for="recovery-code" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Recovery Code</label>
+            <InputText @bind-Value="Input.RecoveryCode" id="recovery-code" class="bg-gray-50 border border-gray-300 text-gray-900 sm:text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-blue-500 dark:focus:border-blue-500" autocomplete="off" placeholder="Enter your recovery code"/>
+            <ValidationMessage For="() => Input.RecoveryCode" class="text-red-600 dark:text-red-400 text-sm mt-1"/>
+        </div>
+        <button type="submit" class="w-full text-white bg-primary-600 hover:bg-primary-700 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">Log in</button>
+    </EditForm>
+</div>
+
+@code {
+    private AdminUser user = default!;
+
+    [SupplyParameterFromForm] private InputModel Input { get; set; } = new();
+
+    [SupplyParameterFromQuery] private string? ReturnUrl { get; set; }
+
+    /// <inheritdoc />
+    protected override async Task OnInitializedAsync()
+    {
+        // Ensure the user has gone through the username & password screen first
+        user = await SignInManager.GetTwoFactorAuthenticationUserAsync() ??
+               throw new InvalidOperationException("Unable to load two-factor authentication user.");
+    }
+
+    /// <summary>
+    /// Submits the form.
+    /// </summary>
+    private async Task OnValidSubmitAsync()
+    {
+        ServerValidationErrors.Clear();
+
+        var recoveryCode = Input.RecoveryCode.Replace(" ", string.Empty);
+        var result = await SignInManager.TwoFactorRecoveryCodeSignInAsync(recoveryCode);
+        var userId = await UserManager.GetUserIdAsync(user);
+
+        if (result.Succeeded)
+        {
+            await AuthLoggingService.LogAuthEventSuccessAsync(user.UserName!, AuthEventType.TwoFactorAuthentication);
+            Logger.LogInformation("User with ID '{UserId}' logged in with a recovery code.", userId);
+            NavigationService.RedirectTo(ReturnUrl);
+        }
+        else if (result.IsLockedOut)
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(user.UserName!, AuthEventType.TwoFactorAuthentication, AuthFailureReason.AccountLocked);
+            Logger.LogWarning("User account locked out.");
+            NavigationService.RedirectTo("user/lockout");
+        }
+        else
+        {
+            await AuthLoggingService.LogAuthEventFailAsync(user.UserName!, AuthEventType.TwoFactorAuthentication, AuthFailureReason.InvalidRecoveryCode);
+            Logger.LogWarning("Invalid recovery code entered for user with ID '{UserId}' ", userId);
+            ServerValidationErrors.AddError("Error: Invalid recovery code entered.");
+        }
+    }
+
+    private sealed class InputModel
+    {
+        [Required]
+        [DataType(DataType.Text)]
+        [Display(Name = "Recovery Code")]
+        public string RecoveryCode { get; set; } = "";
+    }
+
+}

src/AliasVault.Admin/Auth/Pages/Logout.razor

@@ -0,0 +1,42 @@
+@page "/user/logout"
+@using AliasVault.Shared.Models.Enums
+@inject UserService UserService
+@inject GlobalNotificationService GlobalNotificationService
+
+@code {
+    /// <inheritdoc />
+    protected override async Task OnInitializedAsync()
+    {
+        // Sign out the user.
+        // NOTE: the try/catch below is a workaround for the issue that the sign-out does not work when
+        // the server session is already started.
+        try
+        {
+            await UserService.LoadCurrentUserAsync();
+            var username = UserService.User().UserName;
+
+            try
+            {
+                await SignInManager.SignOutAsync();
+                GlobalNotificationService.ClearMessages();
+                await AuthLoggingService.LogAuthEventSuccessAsync(username!, AuthEventType.Logout);
+
+                // Redirect to the home page with hard refresh.
+                NavigationService.RedirectTo("./", true);
+            }
+            catch
+            {
+                // Hard refresh current page if sign out fails. When an interactive server session is already started
+                // the sign-out will fail because it tries to mutate cookies which is only possible when the server
+                // session is not started yet.
+                await AuthLoggingService.LogAuthEventSuccessAsync(username!, AuthEventType.Logout);
+                NavigationService.RedirectTo(NavigationService.Uri, true);
+            }
+        }
+        catch
+        {
+            // Redirect to the home page with hard refresh.
+            NavigationService.RedirectTo("./", true);
+        }
+    }
+}

src/AliasVault.Admin/Auth/Pages/_Imports.razor

@@ -0,0 +1,11 @@
+@inherits AuthBase
+@using System.ComponentModel.DataAnnotations
+@using AliasVault.Admin.Auth.Components
+@using AliasVault.Admin.Auth.Layout
+@using AliasVault.Admin.Main.Components.Alerts
+@using AliasVault.Admin.Main.Components.Layout
+@using AliasVault.Admin.Main.Layout
+@using AliasVault.Admin.Services
+@using Microsoft.AspNetCore.Authentication
+@using Microsoft.AspNetCore.Identity
+@layout AuthLayout

src/AliasVault.Admin/Auth/Providers/RevalidatingAuthenticationStateProvider.cs

@@ -0,0 +1,67 @@
+//-----------------------------------------------------------------------
+// <copyright file="RevalidatingAuthenticationStateProvider.cs" company="lanedirt">
+// Copyright (c) lanedirt. All rights reserved.
+// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace AliasVault.Admin.Auth.Providers;
+
+using System.Security.Claims;
+using AliasServerDb;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Components.Server;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+
+/// <summary>
+/// This is a server-side AuthenticationStateProvider that revalidates the security stamp for the connected user
+/// every 30 minutes an interactive circuit is connected.
+/// </summary>
+/// <param name="loggerFactory">ILoggerFactory instance.</param>
+/// <param name="scopeFactory">IServiceScopeFactory instance.</param>
+/// <param name="options">IOptions instance.</param>
+internal sealed class RevalidatingAuthenticationStateProvider(
+    ILoggerFactory loggerFactory,
+    IServiceScopeFactory scopeFactory,
+    IOptions<IdentityOptions> options)
+    : RevalidatingServerAuthenticationStateProvider(loggerFactory)
+{
+    /// <summary>
+    /// Gets the revalidation interval.
+    /// </summary>
+    protected override TimeSpan RevalidationInterval => TimeSpan.FromMinutes(30);
+
+    /// <summary>
+    /// Validate the authentication state.
+    /// </summary>
+    /// <param name="authenticationState">AuthenticationState instance.</param>
+    /// <param name="cancellationToken">CancellationToken.</param>
+    /// <returns>Boolean indicating whether the currently logged on user is still valid.</returns>
+    protected override async Task<bool> ValidateAuthenticationStateAsync(
+        AuthenticationState authenticationState, CancellationToken cancellationToken)
+    {
+        // Get the user manager from a new scope to ensure it fetches fresh data
+        await using var scope = scopeFactory.CreateAsyncScope();
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<AdminUser>>();
+        return await ValidateSecurityStampAsync(userManager, authenticationState.User);
+    }
+
+    private async Task<bool> ValidateSecurityStampAsync(UserManager<AdminUser> userManager, ClaimsPrincipal principal)
+    {
+        var user = await userManager.GetUserAsync(principal);
+        if (user is null)
+        {
+            return false;
+        }
+
+        if (!userManager.SupportsUserSecurityStamp)
+        {
+            return true;
+        }
+
+        var principalStamp = principal.FindFirstValue(options.Value.ClaimsIdentity.SecurityStampClaimType);
+        var userStamp = await userManager.GetSecurityStampAsync(user);
+        return principalStamp == userStamp;
+    }
+}

src/AliasVault.Admin/Auth/_Imports.razor

@@ -0,0 +1,12 @@
+@using System.Net.Http
+@using System.Net.Http.Json
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.AspNetCore.Components.Routing
+@using Microsoft.AspNetCore.Components.Web
+@using static Microsoft.AspNetCore.Components.Web.RenderMode
+@using Microsoft.AspNetCore.Components.Web.Virtualization
+@using Microsoft.JSInterop
+@using AliasVault.Admin
+@using AliasVault.Admin.Main
+@using AliasServerDb

src/AliasVault.Admin/Config.cs

@@ -0,0 +1,26 @@
+//-----------------------------------------------------------------------
+// <copyright file="Config.cs" company="lanedirt">
+// Copyright (c) lanedirt. All rights reserved.
+// Licensed under the MIT license. See LICENSE.md file in the project root for full license information.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace AliasVault.Admin;
+
+/// <summary>
+/// Configuration class for the Admin project with values loaded from environment variables.
+/// </summary>
+public class Config
+{
+    /// <summary>
+    /// Gets or sets the admin password hash which is generated by install.sh and will be set
+    /// as the default password for the admin user.
+    /// </summary>
+    public string AdminPasswordHash { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Gets or sets the last time the password was changed. This is used to check if the
+    /// password hash generated by install.sh should replace the current password hash if user already exists.
+    /// </summary>
+    public DateTime LastPasswordChanged { get; set; } = DateTime.MinValue;
+}

src/AliasVault.Admin/Dockerfile

@@ -0,0 +1,25 @@
+FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
+WORKDIR /app
+EXPOSE 3002
+
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:9.0 AS build
+ARG TARGETARCH
+ARG BUILD_CONFIGURATION=Release
+WORKDIR /src
+COPY ["src/AliasVault.Admin/AliasVault.Admin.csproj", "src/AliasVault.Admin/"]
+RUN dotnet restore "src/AliasVault.Admin/AliasVault.Admin.csproj" -a "$TARGETARCH"
+COPY . .
+
+WORKDIR "/src/src/AliasVault.Admin"
+RUN dotnet publish "AliasVault.Admin.csproj" -c "$BUILD_CONFIGURATION" \
+    -a "$TARGETARCH" \
+    -o /app/publish \
+    /p:UseAppHost=false
+
+FROM base AS final
+WORKDIR /app
+COPY --from=build /app/publish .
+
+ENV ASPNETCORE_URLS=http://+:3002
+ENV ASPNETCORE_PATHBASE=/admin
+ENTRYPOINT ["dotnet", "AliasVault.Admin.dll"]