v1.1.0-beta.038 - feat(security): encrypt credentials at rest + permission/access foundation libs
🔒 Credentials encrypted at rest
- Generalize encryption.ts (encrypt2FA → encryptSecret/decryptSecret, back-compat aliases) + add SECRET_SETTING_KEYS (secret-keys.ts)
- db.ts: Prisma extension transparently decrypts SystemSetting secret values on read (call sites unchanged); only enc:v1: secret keys touched, plaintext/legacy passes through
- admin/config: encrypt DownloadClient/HosterAccount creds + secret SystemSetting values before persisting ('********' = unchanged)
- db-init: idempotent boot migration encrypts existing plaintext creds; enc:v1:-prefixed rows skipped
🧱 Foundation libs (wired up in later phases) - library-access (per-library ACL), permission-tiers, duplicate-detector, filter-defaults, annas-test, utils/safe-fs (non-destructive relocate), hooks/use-library-ownership
🔧 SQLite adaptation - setUserLibraryAccess: dropped createMany skipDuplicates (unsupported by Prisma's SQLite connector; unnecessary after the preceding deleteMany + de-dup)
✅ Verification - tsc --noEmit clean; vitest 209/209 across 63 files (+4 suites: permission-tiers, library-access, safe-fs, duplicate-detector)