Merge pull request #10 from kmc7468/dev

v0.4.0

.dockerignore

@@ -27,6 +27,3 @@ Thumbs.db
 # Vite
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
-
-# SQLite
-*.db

.env.example

@@ -1,8 +1,12 @@
 # Required environment variables
+DATABASE_PASSWORD=
 SESSION_SECRET=
 
 # Optional environment variables
-DATABASE_URL=
+DATABASE_HOST=
+DATABASE_PORT=
+DATABASE_USER=
+DATABASE_NAME=
 SESSION_EXPIRES=
 USER_CLIENT_CHALLENGE_EXPIRES=
 SESSION_UPGRADE_CHALLENGE_EXPIRES=

.gitignore

@@ -26,6 +26,3 @@ Thumbs.db
 # Vite
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
-
-# SQLite
-*.db

.prettierignore

@@ -3,8 +3,5 @@ package-lock.json
 pnpm-lock.yaml
 yarn.lock
 
-# Output
-/drizzle
-
 # Documents
 *.md

Dockerfile

@@ -2,6 +2,10 @@
 FROM node:22-alpine AS base
 WORKDIR /app
 
+RUN apk add --no-cache bash curl && \
+    curl -o /usr/local/bin/wait-for-it https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh && \
+    chmod +x /usr/local/bin/wait-for-it
+
 RUN npm install -g pnpm@9
 COPY pnpm-lock.yaml .
 
@@ -10,10 +14,9 @@ FROM base AS build
 RUN pnpm fetch
 
 COPY . .
-RUN pnpm install --offline
-RUN pnpm build
-
-RUN sed -i "s/http\.createServer()/http.createServer({ requestTimeout: 0 })/g" ./build/index.js
+RUN pnpm install --offline && \
+    pnpm build && \
+    sed -i "s/http\.createServer()/http.createServer({ requestTimeout: 0 })/g" ./build/index.js
 
 # Deploy Stage
 FROM base
@@ -23,9 +26,7 @@ COPY package.json .
 RUN pnpm install --offline --prod
 
 COPY --from=build /app/build ./build
-COPY drizzle ./drizzle
 
 EXPOSE 3000
 ENV BODY_SIZE_LIMIT=Infinity
-
-CMD ["node", "./build/index.js"]
+CMD ["bash", "-c", "wait-for-it ${DATABASE_HOST:-localhost}:${DATABASE_PORT:-5432} -- node ./build/index.js"]

README.md

@@ -23,7 +23,7 @@ vim .env # 아래를 참고하여 환경 변수를 설정해 주세요.
 docker compose up --build -d
 ```
 
-모든 데이터는 `./data` 디렉터리에 저장될 거예요.
+모든 데이터는 `./data` 디렉터리에 아래에 저장될 거예요.
 
 ### Environment Variables
 
@@ -31,7 +31,8 @@ docker compose up --build -d
 
 |이름|필수|기본값|설명|
 |:-|:-:|:-:|:-|
-|`SESSION_SECRET`|Y||Session ID의 서명을 위해 사용돼요. 안전한 값으로 설정해 주세요.|
+|`DATABASE_PASSWORD`|Y||데이터베이스에 접근하기 위해 필요한 비밀번호예요. 안전한 값으로 설정해 주세요.|
+|`SESSION_SECRET`|Y||Session ID의 서명에 사용되는 비밀번호예요. 안전한 값으로 설정해 주세요.|
 |`SESSION_EXPIRES`||`14d`|Session의 유효 시간이에요. Session은 마지막으로 사용된 후 설정된 유효 시간이 지나면 자동으로 삭제돼요.|
 |`USER_CLIENT_CHALLENGE_EXPIRES`||`5m`|암호 키를 서버에 처음 등록할 때 사용되는 챌린지의 유효 시간이에요.|
 |`SESSION_UPGRADE_CHALLENGE_EXPIRES`||`5m`|암호 키와 함께 로그인할 때 사용되는 챌린지의 유효 시간이에요.|

docker-compose.dev.yaml

@@ -0,0 +1,15 @@
+services:
+  database:
+    image: postgres:17.2
+    restart: on-failure
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=${DATABASE_USER:-}
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?} # Required
+      - POSTGRES_DB=${DATABASE_NAME:-}
+    ports:
+      - ${DATABASE_PORT:-5432}:5432
+
+volumes:
+  database:

docker-compose.yaml

@@ -1,13 +1,17 @@
 services:
   server:
     build: .
-    restart: unless-stopped
+    restart: on-failure
+    depends_on:
+      - database
     user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
     volumes:
-      - ./data:/app/data
+      - ./data/library:/app/data/library
     environment:
       # ArkVault
-      - DATABASE_URL=/app/data/database.sqlite
+      - DATABASE_HOST=database
+      - DATABASE_USER=arkvault
+      - DATABASE_PASSWORD=${DATABASE_PASSWORD:?} # Required
       - SESSION_SECRET=${SESSION_SECRET:?} # Required
       - SESSION_EXPIRES
       - USER_CLIENT_CHALLENGE_EXPIRES
@@ -19,3 +23,13 @@ services:
       - NODE_ENV=${NODE_ENV:-production}
     ports:
       - ${PORT:-80}:3000
+
+  database:
+    image: postgres:17.2-alpine
+    restart: on-failure
+    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
+    volumes:
+      - ./data/database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=arkvault
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?}

drizzle.config.ts

@@ -1,13 +0,0 @@
-import { defineConfig } from "drizzle-kit";
-
-export default defineConfig({
-  schema: "./src/lib/server/db/schema",
-
-  dbCredentials: {
-    url: process.env.DATABASE_URL || "local.db",
-  },
-
-  verbose: true,
-  strict: true,
-  dialect: "sqlite",
-});

drizzle/0000_unknown_stark_industries.sql

@@ -1,175 +0,0 @@
-CREATE TABLE `client` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`encryption_public_key` text NOT NULL,
-	`signature_public_key` text NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE `user_client` (
-	`user_id` integer NOT NULL,
-	`client_id` integer NOT NULL,
-	`state` text DEFAULT 'challenging' NOT NULL,
-	PRIMARY KEY(`client_id`, `user_id`),
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`client_id`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `user_client_challenge` (
-	`id` integer PRIMARY KEY NOT NULL,
-	`user_id` integer NOT NULL,
-	`client_id` integer NOT NULL,
-	`answer` text NOT NULL,
-	`allowed_ip` text NOT NULL,
-	`expires_at` integer NOT NULL,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`client_id`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`client_id`) REFERENCES `user_client`(`user_id`,`client_id`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `directory` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`parent_id` integer,
-	`user_id` integer NOT NULL,
-	`master_encryption_key_version` integer NOT NULL,
-	`encrypted_data_encryption_key` text NOT NULL,
-	`data_encryption_key_version` integer NOT NULL,
-	`encrypted_name` text NOT NULL,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`parent_id`) REFERENCES `directory`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`master_encryption_key_version`) REFERENCES `master_encryption_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `directory_log` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`directory_id` integer NOT NULL,
-	`timestamp` integer NOT NULL,
-	`action` text NOT NULL,
-	`new_name` text,
-	FOREIGN KEY (`directory_id`) REFERENCES `directory`(`id`) ON UPDATE no action ON DELETE cascade
-);
---> statement-breakpoint
-CREATE TABLE `file` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`parent_id` integer,
-	`user_id` integer NOT NULL,
-	`path` text NOT NULL,
-	`master_encryption_key_version` integer NOT NULL,
-	`encrypted_data_encryption_key` text NOT NULL,
-	`data_encryption_key_version` integer NOT NULL,
-	`hmac_secret_key_version` integer,
-	`content_hmac` text,
-	`content_type` text NOT NULL,
-	`encrypted_content_iv` text NOT NULL,
-	`encrypted_name` text NOT NULL,
-	FOREIGN KEY (`parent_id`) REFERENCES `directory`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`master_encryption_key_version`) REFERENCES `master_encryption_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`hmac_secret_key_version`) REFERENCES `hmac_secret_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `file_log` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`file_id` integer NOT NULL,
-	`timestamp` integer NOT NULL,
-	`action` text NOT NULL,
-	`new_name` text,
-	FOREIGN KEY (`file_id`) REFERENCES `file`(`id`) ON UPDATE no action ON DELETE cascade
-);
---> statement-breakpoint
-CREATE TABLE `hmac_secret_key` (
-	`user_id` integer NOT NULL,
-	`version` integer NOT NULL,
-	`state` text NOT NULL,
-	`master_encryption_key_version` integer NOT NULL,
-	`encrypted_key` text NOT NULL,
-	PRIMARY KEY(`user_id`, `version`),
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`master_encryption_key_version`) REFERENCES `master_encryption_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `hmac_secret_key_log` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`user_id` integer NOT NULL,
-	`hmac_secret_key_version` integer NOT NULL,
-	`timestamp` integer NOT NULL,
-	`action` text NOT NULL,
-	`action_by` integer,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`action_by`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`hmac_secret_key_version`) REFERENCES `hmac_secret_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `client_master_encryption_key` (
-	`user_id` integer NOT NULL,
-	`client_id` integer NOT NULL,
-	`version` integer NOT NULL,
-	`encrypted_key` text NOT NULL,
-	`encrypted_key_signature` text NOT NULL,
-	PRIMARY KEY(`client_id`, `user_id`, `version`),
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`client_id`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`version`) REFERENCES `master_encryption_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `master_encryption_key` (
-	`user_id` integer NOT NULL,
-	`version` integer NOT NULL,
-	`state` text NOT NULL,
-	`retired_at` integer,
-	PRIMARY KEY(`user_id`, `version`),
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `master_encryption_key_log` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`user_id` integer NOT NULL,
-	`master_encryption_key_version` integer NOT NULL,
-	`timestamp` integer NOT NULL,
-	`action` text NOT NULL,
-	`action_by` integer,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`action_by`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`user_id`,`master_encryption_key_version`) REFERENCES `master_encryption_key`(`user_id`,`version`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `session` (
-	`id` text PRIMARY KEY NOT NULL,
-	`user_id` integer NOT NULL,
-	`client_id` integer,
-	`created_at` integer NOT NULL,
-	`last_used_at` integer NOT NULL,
-	`last_used_by_ip` text,
-	`last_used_by_user_agent` text,
-	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`client_id`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `session_upgrade_challenge` (
-	`id` integer PRIMARY KEY NOT NULL,
-	`session_id` text NOT NULL,
-	`client_id` integer NOT NULL,
-	`answer` text NOT NULL,
-	`allowed_ip` text NOT NULL,
-	`expires_at` integer NOT NULL,
-	FOREIGN KEY (`session_id`) REFERENCES `session`(`id`) ON UPDATE no action ON DELETE no action,
-	FOREIGN KEY (`client_id`) REFERENCES `client`(`id`) ON UPDATE no action ON DELETE no action
-);
---> statement-breakpoint
-CREATE TABLE `user` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`email` text NOT NULL,
-	`password` text NOT NULL,
-	`nickname` text NOT NULL
-);
---> statement-breakpoint
-CREATE UNIQUE INDEX `client_encryption_public_key_unique` ON `client` (`encryption_public_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `client_signature_public_key_unique` ON `client` (`signature_public_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `client_encryption_public_key_signature_public_key_unique` ON `client` (`encryption_public_key`,`signature_public_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `user_client_challenge_answer_unique` ON `user_client_challenge` (`answer`);--> statement-breakpoint
-CREATE UNIQUE INDEX `directory_encrypted_data_encryption_key_unique` ON `directory` (`encrypted_data_encryption_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `file_path_unique` ON `file` (`path`);--> statement-breakpoint
-CREATE UNIQUE INDEX `file_encrypted_data_encryption_key_unique` ON `file` (`encrypted_data_encryption_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `hmac_secret_key_encrypted_key_unique` ON `hmac_secret_key` (`encrypted_key`);--> statement-breakpoint
-CREATE UNIQUE INDEX `session_user_id_client_id_unique` ON `session` (`user_id`,`client_id`);--> statement-breakpoint
-CREATE UNIQUE INDEX `session_upgrade_challenge_session_id_unique` ON `session_upgrade_challenge` (`session_id`);--> statement-breakpoint
-CREATE UNIQUE INDEX `session_upgrade_challenge_answer_unique` ON `session_upgrade_challenge` (`answer`);--> statement-breakpoint
-CREATE UNIQUE INDEX `user_email_unique` ON `user` (`email`);

drizzle/0001_blushing_alice.sql

@@ -1,2 +0,0 @@
-ALTER TABLE `file` ADD `encrypted_created_at` text;--> statement-breakpoint
-ALTER TABLE `file` ADD `encrypted_last_modified_at` text NOT NULL;

drizzle/meta/_journal.json

@@ -1,20 +0,0 @@
-{
-  "version": "7",
-  "dialect": "sqlite",
-  "entries": [
-    {
-      "idx": 0,
-      "version": "6",
-      "when": 1736704436996,
-      "tag": "0000_unknown_stark_industries",
-      "breakpoints": true
-    },
-    {
-      "idx": 1,
-      "version": "6",
-      "when": 1736720831242,
-      "tag": "0001_blushing_alice",
-      "breakpoints": true
-    }
-  ]
-}

kysely.config.ts

@@ -0,0 +1,18 @@
+import { defineConfig } from "kysely-ctl";
+import { Pool } from "pg";
+
+export default defineConfig({
+  dialect: "pg",
+  dialectConfig: {
+    pool: new Pool({
+      host: process.env.DATABASE_HOST,
+      port: process.env.DATABASE_PORT ? parseInt(process.env.DATABASE_PORT) : undefined,
+      user: process.env.DATABASE_USER,
+      password: process.env.DATABASE_PASSWORD,
+      database: process.env.DATABASE_NAME,
+    }),
+  },
+  migrations: {
+    migrationFolder: "./src/lib/server/db/migrations",
+  },
+});

package.json

@@ -1,7 +1,7 @@
 {
   "name": "arkvault",
   "private": true,
-  "version": "0.2.0",
+  "version": "0.4.0",
   "type": "module",
   "scripts": {
     "dev": "vite dev",
@@ -11,10 +11,9 @@
     "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
     "format": "prettier --write .",
     "lint": "prettier --check . && eslint .",
-    "db:push": "drizzle-kit push",
-    "db:generate": "drizzle-kit generate",
-    "db:migrate": "drizzle-kit migrate",
-    "db:studio": "drizzle-kit studio"
+    "db:up": "docker compose -f docker-compose.dev.yaml -p arkvault-dev up -d",
+    "db:down": "docker compose -f docker-compose.dev.yaml -p arkvault-dev down",
+    "db:migrate": "kysely migrate"
   },
   "devDependencies": {
     "@eslint/compat": "^1.2.4",
@@ -22,14 +21,13 @@
     "@sveltejs/adapter-node": "^5.2.11",
     "@sveltejs/kit": "^2.15.2",
     "@sveltejs/vite-plugin-svelte": "^4.0.4",
-    "@types/better-sqlite3": "^7.6.12",
     "@types/file-saver": "^2.0.7",
     "@types/ms": "^0.7.34",
     "@types/node-schedule": "^2.1.7",
+    "@types/pg": "^8.11.10",
     "autoprefixer": "^10.4.20",
     "axios": "^1.7.9",
     "dexie": "^4.0.10",
-    "drizzle-kit": "^0.22.8",
     "eslint": "^9.17.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-svelte": "^2.46.1",
@@ -38,12 +36,13 @@
     "file-saver": "^2.0.5",
     "globals": "^15.14.0",
     "heic2any": "^0.0.4",
+    "kysely-ctl": "^0.10.1",
     "mime": "^4.0.6",
     "p-limit": "^6.2.0",
     "prettier": "^3.4.2",
     "prettier-plugin-svelte": "^3.3.2",
     "prettier-plugin-tailwindcss": "^0.6.9",
-    "svelte": "^5.17.1",
+    "svelte": "^5.19.1",
     "svelte-check": "^4.1.3",
     "tailwindcss": "^3.4.17",
     "typescript": "^5.7.3",
@@ -54,10 +53,10 @@
   "dependencies": {
     "@fastify/busboy": "^3.1.1",
     "argon2": "^0.41.1",
-    "better-sqlite3": "^11.7.2",
-    "drizzle-orm": "^0.33.0",
+    "kysely": "^0.27.5",
     "ms": "^2.1.3",
     "node-schedule": "^2.1.1",
+    "pg": "^8.13.1",
     "uuid": "^11.0.4",
     "zod": "^3.24.1"
   },

src/app.html

@@ -1,5 +1,5 @@
 <!doctype html>
-<html lang="en">
+<html lang="ko">
   <head>
     <meta charset="utf-8" />
     <link rel="icon" href="%sveltekit.assets%/favicon.png" />

src/hooks.server.ts

@@ -2,15 +2,15 @@ import type { ServerInit } from "@sveltejs/kit";
 import { sequence } from "@sveltejs/kit/hooks";
 import schedule from "node-schedule";
 import { cleanupExpiredUserClientChallenges } from "$lib/server/db/client";
-import { migrateDB } from "$lib/server/db/drizzle";
+import { migrateDB } from "$lib/server/db/kysely";
 import {
   cleanupExpiredSessions,
   cleanupExpiredSessionUpgradeChallenges,
 } from "$lib/server/db/session";
 import { authenticate, setAgentInfo } from "$lib/server/middlewares";
 
-export const init: ServerInit = () => {
-  migrateDB();
+export const init: ServerInit = async () => {
+  await migrateDB();
 
   schedule.scheduleJob("0 * * * *", () => {
     cleanupExpiredUserClientChallenges();

src/lib/components/BottomSheet.svelte

@@ -1,39 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-  import { fade, fly } from "svelte/transition";
-  import { AdaptiveDiv } from "$lib/components/divs";
-
-  interface Props {
-    children: Snippet;
-    onclose?: () => void;
-    isOpen: boolean;
-  }
-
-  let { children, onclose, isOpen = $bindable() }: Props = $props();
-
-  const closeBottomSheet = $derived(
-    onclose ||
-      (() => {
-        isOpen = false;
-      }),
-  );
-</script>
-
-{#if isOpen}
-  <!-- svelte-ignore a11y_click_events_have_key_events -->
-  <!-- svelte-ignore a11y_no_static_element_interactions -->
-  <div onclick={closeBottomSheet} class="fixed inset-0 z-10 flex items-end justify-center">
-    <div class="absolute inset-0 bg-black bg-opacity-50" transition:fade={{ duration: 100 }}></div>
-    <div class="z-20 w-full">
-      <AdaptiveDiv>
-        <div
-          onclick={(e) => e.stopPropagation()}
-          class="flex max-h-[70vh] min-h-[30vh] rounded-t-2xl bg-white px-4"
-          transition:fly={{ y: 100, duration: 200 }}
-        >
-          {@render children?.()}
-        </div>
-      </AdaptiveDiv>
-    </div>
-  </div>
-{/if}

src/lib/components/Modal.svelte

@@ -1,38 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-  import { fade } from "svelte/transition";
-  import { AdaptiveDiv } from "$lib/components/divs";
-
-  interface Props {
-    children: Snippet;
-    onclose?: () => void;
-    isOpen: boolean;
-  }
-
-  let { children, onclose, isOpen = $bindable() }: Props = $props();
-
-  const closeModal = $derived(
-    onclose ||
-      (() => {
-        isOpen = false;
-      }),
-  );
-</script>
-
-{#if isOpen}
-  <!-- svelte-ignore a11y_click_events_have_key_events -->
-  <!-- svelte-ignore a11y_no_static_element_interactions -->
-  <div
-    onclick={closeModal}
-    class="fixed inset-0 z-10 bg-black bg-opacity-50"
-    transition:fade={{ duration: 100 }}
-  >
-    <AdaptiveDiv>
-      <div class="flex h-full items-center justify-center px-4">
-        <div onclick={(e) => e.stopPropagation()} class="rounded-2xl bg-white p-4">
-          {@render children?.()}
-        </div>
-      </div>
-    </AdaptiveDiv>
-  </div>
-{/if}

src/lib/components/TopBar.svelte

@@ -1,31 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-
-  import IconArrowBack from "~icons/material-symbols/arrow-back";
-
-  interface Props {
-    children?: Snippet;
-    onback?: () => void;
-    title?: string;
-  }
-
-  let { children, onback, title }: Props = $props();
-
-  const back = $derived(() => {
-    setTimeout(onback || (() => history.back()), 100);
-  });
-</script>
-
-<div class="sticky top-0 z-10 flex flex-shrink-0 items-center justify-between bg-white py-4">
-  <button onclick={back} class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-gray-100">
-    <IconArrowBack class="text-2xl" />
-  </button>
-  {#if title}
-    <p class="flex-grow truncate px-2 text-center text-lg font-semibold">{title}</p>
-  {/if}
-  <div class="w-[2.3rem] flex-shrink-0">
-    {#if children}
-      {@render children?.()}
-    {/if}
-  </div>
-</div>

src/lib/components/atoms/BottomSheet.svelte

@@ -0,0 +1,40 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+  import { fade, fly } from "svelte/transition";
+  import { AdaptiveDiv } from "$lib/components/atoms";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    isOpen: boolean;
+    onclose?: () => void;
+  }
+
+  let { children, class: className, isOpen = $bindable(), onclose }: Props = $props();
+</script>
+
+{#if isOpen}
+  <!-- svelte-ignore a11y_click_events_have_key_events -->
+  <!-- svelte-ignore a11y_no_static_element_interactions -->
+  <div
+    onclick={onclose || (() => (isOpen = false))}
+    class="fixed inset-0 z-10 flex items-end justify-center"
+  >
+    <div
+      class="absolute inset-0 bg-black bg-opacity-50"
+      transition:fade|global={{ duration: 100 }}
+    ></div>
+    <AdaptiveDiv class="z-10 w-full">
+      <div
+        onclick={(e) => e.stopPropagation()}
+        class="flex max-h-[70vh] min-h-[30vh] flex-col rounded-t-2xl bg-white"
+        transition:fly|global={{ y: 100, duration: 200 }}
+      >
+        <div class={["flex-grow overflow-y-auto", className]}>
+          {@render children()}
+        </div>
+      </div>
+    </AdaptiveDiv>
+  </div>
+{/if}

src/lib/components/atoms/Modal.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+  import { fade } from "svelte/transition";
+  import { AdaptiveDiv } from "$lib/components/atoms";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    isOpen: boolean;
+    onclose?: () => void;
+  }
+
+  let { children, class: className, isOpen = $bindable(), onclose }: Props = $props();
+</script>
+
+{#if isOpen}
+  <!-- svelte-ignore a11y_click_events_have_key_events -->
+  <!-- svelte-ignore a11y_no_static_element_interactions -->
+  <div
+    onclick={onclose || (() => (isOpen = false))}
+    class="fixed inset-0 z-10 bg-black bg-opacity-50"
+    transition:fade|global={{ duration: 100 }}
+  >
+    <AdaptiveDiv class="flex h-full items-center justify-center px-4">
+      <div onclick={(e) => e.stopPropagation()} class={["rounded-2xl bg-white p-4", className]}>
+        {@render children()}
+      </div>
+    </AdaptiveDiv>
+  </div>
+{/if}

src/lib/components/atoms/buttons/ActionEntryButton.svelte

@@ -0,0 +1,59 @@
+<script lang="ts">
+  import type { Component, Snippet } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+
+  interface Props {
+    actionButtonClass?: ClassValue;
+    actionButtonIcon?: Component<SvelteHTMLElements["svg"]>;
+    children: Snippet;
+    class?: ClassValue;
+    onActionButtonClick?: () => void;
+    onclick?: () => void;
+  }
+
+  let {
+    actionButtonIcon: ActionButtonIcon,
+    actionButtonClass: actionButtonClassName,
+    children,
+    class: className,
+    onActionButtonClick,
+    onclick,
+  }: Props = $props();
+</script>
+
+<!-- svelte-ignore a11y_no_static_element_interactions -->
+<!-- svelte-ignore a11y_click_events_have_key_events -->
+<div
+  id="container"
+  onclick={onclick && (() => setTimeout(onclick, 100))}
+  class={["rounded-xl", className]}
+>
+  <div id="children" class="flex h-full items-center gap-x-4 p-2 transition">
+    <div class="flex-grow overflow-x-hidden">
+      {@render children()}
+    </div>
+    {#if ActionButtonIcon}
+      <button
+        id="action-button"
+        onclick={(e) => {
+          e.stopPropagation();
+          if (onActionButtonClick) {
+            setTimeout(onActionButtonClick, 100);
+          }
+        }}
+        class={["flex-shrink-0 rounded-full p-1 text-lg active:bg-gray-100", actionButtonClassName]}
+      >
+        <ActionButtonIcon />
+      </button>
+    {/if}
+  </div>
+</div>
+
+<style>
+  #container:active:not(:has(#action-button:active)) {
+    @apply bg-gray-100;
+  }
+  #children:active:not(:has(#action-button:active)) {
+    @apply scale-95;
+  }
+</style>

src/lib/components/atoms/buttons/Button.svelte

@@ -0,0 +1,38 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    color?: "primary" | "gray";
+    onclick?: () => void;
+  }
+
+  let { children, class: className, color = "primary", onclick }: Props = $props();
+
+  let bgColor = $derived(
+    {
+      primary: "bg-primary-600 active:bg-primary-500",
+      gray: "bg-gray-300 active:bg-gray-400",
+    }[color],
+  );
+  let textColor = $derived(
+    {
+      primary: "text-white",
+      gray: "text-gray-800",
+    }[color],
+  );
+</script>
+
+<button
+  onclick={onclick && (() => setTimeout(onclick, 100))}
+  class={[
+    "h-12 min-w-fit rounded-xl p-3 font-medium transition active:scale-95",
+    bgColor,
+    textColor,
+    className,
+  ]}
+>
+  {@render children()}
+</button>

src/lib/components/atoms/buttons/EntryButton.svelte

@@ -0,0 +1,26 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  import IconChevronRight from "~icons/material-symbols/chevron-right";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    onclick?: () => void;
+  }
+
+  let { children, class: className, onclick }: Props = $props();
+</script>
+
+<button
+  onclick={onclick && (() => setTimeout(onclick, 100))}
+  class={["rounded-xl active:bg-gray-100", className]}
+>
+  <div class="flex h-full items-center gap-x-4 p-2 transition active:scale-95">
+    <div class="flex-grow">
+      {@render children()}
+    </div>
+    <IconChevronRight class="flex-shrink-0 text-xl text-gray-800" />
+  </div>
+</button>

src/lib/components/atoms/buttons/FloatingButton.svelte

@@ -0,0 +1,27 @@
+<script lang="ts">
+  import type { Component } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+  import { AdaptiveDiv } from "$lib/components/atoms";
+
+  interface Props {
+    class: ClassValue;
+    icon: Component<SvelteHTMLElements["svg"]>;
+    onclick?: () => void;
+  }
+
+  let { class: className, icon: Icon, onclick }: Props = $props();
+</script>
+
+<div class="pointer-events-none fixed inset-0">
+  <AdaptiveDiv class="relative h-full">
+    <button
+      onclick={onclick && (() => setTimeout(onclick, 100))}
+      class={[
+        "pointer-events-auto absolute flex h-14 w-14 items-center justify-center rounded-full bg-gray-300 text-xl shadow-lg transition active:scale-95 active:bg-gray-400",
+        className,
+      ]}
+    >
+      <Icon />
+    </button>
+  </AdaptiveDiv>
+</div>

src/lib/components/atoms/buttons/TextButton.svelte

@@ -10,14 +10,10 @@
 </script>
 
 <button
-  onclick={() => {
-    setTimeout(() => {
-      onclick?.();
-    }, 100);
-  }}
+  onclick={onclick && (() => setTimeout(onclick, 100))}
   class="text-sm font-medium text-gray-800 underline underline-offset-2 active:rounded-xl active:bg-gray-100"
 >
-  <div class="h-full w-full p-1 transition active:scale-95">
-    {@render children?.()}
+  <div class="h-full p-1 transition active:scale-95">
+    {@render children()}
   </div>
 </button>

src/lib/components/atoms/buttons/index.ts

@@ -1,3 +1,4 @@
+export { default as ActionEntryButton } from "./ActionEntryButton.svelte";
 export { default as Button } from "./Button.svelte";
 export { default as EntryButton } from "./EntryButton.svelte";
 export { default as FloatingButton } from "./FloatingButton.svelte";

src/lib/components/atoms/divs/AdaptiveDiv.svelte

@@ -0,0 +1,15 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+  }
+
+  let { children, class: className }: Props = $props();
+</script>
+
+<div class={["mx-auto max-w-screen-md", className]}>
+  {@render children()}
+</div>

src/lib/components/atoms/divs/BottomDiv.svelte

@@ -0,0 +1,15 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+  }
+
+  let { children, class: className }: Props = $props();
+</script>
+
+<div class={["sticky bottom-0 bg-white pb-4", className]}>
+  {@render children()}
+</div>

src/lib/components/atoms/divs/FullscreenDiv.svelte

@@ -0,0 +1,7 @@
+<script lang="ts">
+  let { children } = $props();
+</script>
+
+<div class="flex flex-grow flex-col justify-between px-4">
+  {@render children()}
+</div>

src/lib/components/atoms/divs/index.ts

@@ -1,3 +1,3 @@
 export { default as AdaptiveDiv } from "./AdaptiveDiv.svelte";
 export { default as BottomDiv } from "./BottomDiv.svelte";
-export { default as TitleDiv } from "./TitleDiv.svelte";
+export { default as FullscreenDiv } from "./FullscreenDiv.svelte";

src/lib/components/atoms/index.ts

@@ -1,3 +1,5 @@
 export { default as BottomSheet } from "./BottomSheet.svelte";
+export * from "./buttons";
+export * from "./divs";
+export * from "./inputs";
 export { default as Modal } from "./Modal.svelte";
-export { default as TopBar } from "./TopBar.svelte";

src/lib/components/atoms/inputs/CheckBox.svelte

@@ -0,0 +1,23 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+
+  import IconCheckCircle from "~icons/material-symbols/check-circle";
+  import IconCheckCircleOutline from "~icons/material-symbols/check-circle-outline";
+
+  interface Props {
+    checked?: boolean;
+    children: Snippet;
+  }
+
+  let { checked = $bindable(false), children }: Props = $props();
+</script>
+
+<label class="flex items-center gap-x-1">
+  <input bind:checked type="checkbox" class="hidden" />
+  {@render children()}
+  {#if checked}
+    <IconCheckCircle class="text-primary-600" />
+  {:else}
+    <IconCheckCircleOutline class="text-gray-300" />
+  {/if}
+</label>

src/lib/components/atoms/inputs/TextInput.svelte

@@ -0,0 +1,40 @@
+<script lang="ts">
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    class?: ClassValue;
+    placeholder: string;
+    type?: "text" | "password";
+    value?: string;
+  }
+
+  let { class: className, placeholder, type = "text", value = $bindable("") }: Props = $props();
+</script>
+
+<div class={className}>
+  <div class="relative mt-5">
+    <input
+      bind:value
+      {type}
+      placeholder=""
+      class="w-full border-b-2 border-gray-300 py-1 text-xl outline-none transition duration-300 ease-in-out"
+    />
+    <!-- svelte-ignore a11y_label_has_associated_control -->
+    <label
+      class="pointer-events-none absolute left-0 top-1/2 -translate-y-1/2 transform text-xl text-gray-400 transition-all duration-300 ease-in-out"
+    >
+      {placeholder}
+    </label>
+  </div>
+</div>
+
+<style>
+  input:focus,
+  input:not(:placeholder-shown) {
+    @apply border-primary-300;
+  }
+  input:focus + label,
+  input:not(:placeholder-shown) + label {
+    @apply top-0 -translate-y-full text-sm text-primary-400;
+  }
+</style>

src/lib/components/atoms/inputs/index.ts

@@ -1 +1,2 @@
+export { default as CheckBox } from "./CheckBox.svelte";
 export { default as TextInput } from "./TextInput.svelte";

src/lib/components/buttons/Button.svelte

@@ -1,37 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-
-  interface Props {
-    children: Snippet;
-    color?: "primary" | "gray";
-    onclick?: () => void;
-  }
-
-  let { children, color = "primary", onclick }: Props = $props();
-
-  const bgColorStyle = $derived(
-    {
-      primary: "bg-primary-600 active:bg-primary-500",
-      gray: "bg-gray-300 active:bg-gray-400",
-    }[color],
-  );
-  const fontColorStyle = $derived(
-    {
-      primary: "text-white",
-      gray: "text-gray-800",
-    }[color],
-  );
-</script>
-
-<button
-  onclick={() => {
-    setTimeout(() => {
-      onclick?.();
-    }, 100);
-  }}
-  class="{bgColorStyle} {fontColorStyle} h-12 w-full min-w-fit rounded-xl font-medium"
->
-  <div class="h-full w-full p-3 transition active:scale-95">
-    {@render children?.()}
-  </div>
-</button>

src/lib/components/buttons/EntryButton.svelte

@@ -1,30 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-
-  import IconChevronRight from "~icons/material-symbols/chevron-right";
-
-  interface Props {
-    children: Snippet;
-    onclick?: () => void;
-  }
-
-  let { children, onclick }: Props = $props();
-</script>
-
-<button
-  onclick={() => {
-    setTimeout(() => {
-      onclick?.();
-    }, 100);
-  }}
-  class="w-full rounded-xl active:bg-gray-100"
->
-  <div class="flex w-full justify-between p-2 transition active:scale-95">
-    <div>
-      {@render children?.()}
-    </div>
-    <div class="flex items-center justify-center">
-      <IconChevronRight class="text-xl text-gray-800" />
-    </div>
-  </div>
-</button>

src/lib/components/buttons/FloatingButton.svelte

@@ -1,36 +0,0 @@
-<script lang="ts">
-  import type { Component } from "svelte";
-  import type { SvelteHTMLElements } from "svelte/elements";
-  import { AdaptiveDiv } from "$lib/components/divs";
-
-  interface Props {
-    icon: Component<SvelteHTMLElements["svg"]>;
-    offset?: string;
-    onclick?: () => void;
-  }
-
-  let { icon: Icon, offset = "bottom-20", onclick }: Props = $props();
-
-  const click = () => {
-    setTimeout(() => {
-      onclick?.();
-    }, 100);
-  };
-</script>
-
-<div class="pointer-events-none fixed inset-0">
-  <div class="absolute w-full {offset}">
-    <AdaptiveDiv>
-      <div class="relative">
-        <div class="absolute bottom-4 right-4">
-          <button
-            onclick={click}
-            class="pointer-events-auto flex h-14 w-14 items-center justify-center rounded-full bg-gray-300 shadow-lg transition active:scale-95 active:bg-gray-400"
-          >
-            <Icon class="text-xl" />
-          </button>
-        </div>
-      </div>
-    </AdaptiveDiv>
-  </div>
-</div>

src/lib/components/divs/AdaptiveDiv.svelte

@@ -1,7 +0,0 @@
-<script lang="ts">
-  let { children } = $props();
-</script>
-
-<div class="mx-auto h-full w-full max-w-screen-md">
-  {@render children?.()}
-</div>

src/lib/components/divs/BottomDiv.svelte

@@ -1,7 +0,0 @@
-<script lang="ts">
-  let { children } = $props();
-</script>
-
-<div class="sticky bottom-0 flex flex-col items-center gap-y-2 bg-white pb-4">
-  {@render children?.()}
-</div>

src/lib/components/divs/TitleDiv.svelte

@@ -1,21 +0,0 @@
-<script lang="ts">
-  import type { Component, Snippet } from "svelte";
-  import type { SvelteHTMLElements } from "svelte/elements";
-
-  interface Props {
-    children: Snippet;
-    icon?: Component<SvelteHTMLElements["svg"]>;
-    topPadding?: boolean;
-  }
-
-  let { topPadding = true, children, icon: Icon }: Props = $props();
-</script>
-
-<div>
-  <div class="box-content flex min-h-[10vh] items-center {topPadding ? 'pt-4' : ''}">
-    {#if Icon}
-      <Icon class="text-5xl text-gray-600" />
-    {/if}
-  </div>
-  {@render children?.()}
-</div>

src/lib/components/inputs/TextInput.svelte

@@ -1,35 +0,0 @@
-<script lang="ts">
-  interface Props {
-    placeholder: string;
-    type?: "text" | "password";
-    value?: string;
-  }
-
-  let { placeholder, type = "text", value = $bindable("") }: Props = $props();
-</script>
-
-<div class="relative mt-5">
-  <input
-    bind:value
-    {type}
-    placeholder=""
-    class="w-full border-b-2 border-gray-300 py-1 text-xl outline-none transition duration-300 ease-in-out"
-  />
-  <!-- svelte-ignore a11y_label_has_associated_control -->
-  <label
-    class="absolute left-0 top-1/2 -translate-y-1/2 transform text-xl text-gray-400 transition-all duration-300 ease-in-out"
-  >
-    {placeholder}
-  </label>
-</div>
-
-<style>
-  input:focus,
-  input:not(:placeholder-shown) {
-    @apply border-primary-300;
-  }
-  input:focus + label,
-  input:not(:placeholder-shown) + label {
-    @apply top-0 -translate-y-full text-sm text-primary-400;
-  }
-</style>

src/lib/components/molecules/ActionModal.svelte

@@ -0,0 +1,50 @@
+<script module lang="ts">
+  export type ConfirmHandler = () => void | Promise<void> | boolean | Promise<boolean>;
+</script>
+
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import { Button, Modal } from "$lib/components/atoms";
+
+  interface Props {
+    cancelText?: string;
+    children: Snippet;
+    confirmText: string;
+    isOpen: boolean;
+    onbeforeclose?: () => void;
+    onConfirmClick: ConfirmHandler;
+    title: string;
+  }
+
+  let {
+    cancelText = "닫기",
+    children,
+    confirmText,
+    isOpen = $bindable(),
+    onbeforeclose,
+    onConfirmClick,
+    title,
+  }: Props = $props();
+
+  const closeModal = () => {
+    onbeforeclose?.();
+    isOpen = false;
+  };
+
+  const confirmAction = async () => {
+    if ((await onConfirmClick()) !== false) {
+      closeModal();
+    }
+  };
+</script>
+
+<Modal bind:isOpen onclose={closeModal} class="space-y-4">
+  <div class="flex flex-col gap-y-2 break-keep">
+    <p class="text-xl font-bold">{title}</p>
+    {@render children()}
+  </div>
+  <div class="flex gap-x-2">
+    <Button color="gray" onclick={closeModal} class="flex-1">{cancelText}</Button>
+    <Button onclick={confirmAction} class="flex-1">{confirmText}</Button>
+  </div>
+</Modal>

src/lib/components/molecules/Categories/Categories.svelte

@@ -0,0 +1,63 @@
+<script lang="ts">
+  import { untrack, type Component } from "svelte";
+  import type { SvelteHTMLElements } from "svelte/elements";
+  import { get, type Writable } from "svelte/store";
+  import type { CategoryInfo } from "$lib/modules/filesystem";
+  import { SortBy, sortEntries } from "$lib/modules/util";
+  import Category from "./Category.svelte";
+  import type { SelectedCategory } from "./service";
+
+  interface Props {
+    categories: Writable<CategoryInfo | null>[];
+    categoryMenuIcon?: Component<SvelteHTMLElements["svg"]>;
+    onCategoryClick: (category: SelectedCategory) => void;
+    onCategoryMenuClick?: (category: SelectedCategory) => void;
+    sortBy?: SortBy;
+  }
+
+  let {
+    categories,
+    categoryMenuIcon,
+    onCategoryClick,
+    onCategoryMenuClick,
+    sortBy = SortBy.NAME_ASC,
+  }: Props = $props();
+
+  let categoriesWithName: { name?: string; info: Writable<CategoryInfo | null> }[] = $state([]);
+
+  $effect(() => {
+    categoriesWithName = categories.map((category) => ({
+      name: get(category)?.name,
+      info: category,
+    }));
+
+    const sort = () => {
+      sortEntries(categoriesWithName, sortBy);
+    };
+    return untrack(() => {
+      sort();
+
+      const unsubscribes = categoriesWithName.map((category) =>
+        category.info.subscribe((value) => {
+          if (category.name === value?.name) return;
+          category.name = value?.name;
+          sort();
+        }),
+      );
+      return () => unsubscribes.forEach((unsubscribe) => unsubscribe());
+    });
+  });
+</script>
+
+{#if categoriesWithName.length > 0}
+  <div class="space-y-1">
+    {#each categoriesWithName as { info }}
+      <Category
+        {info}
+        menuIcon={categoryMenuIcon}
+        onclick={onCategoryClick}
+        onMenuClick={onCategoryMenuClick}
+      />
+    {/each}
+  </div>
+{/if}

src/lib/components/molecules/Categories/Category.svelte

@@ -0,0 +1,43 @@
+<script lang="ts">
+  import type { Component } from "svelte";
+  import type { SvelteHTMLElements } from "svelte/elements";
+  import type { Writable } from "svelte/store";
+  import { ActionEntryButton } from "$lib/components/atoms";
+  import { CategoryLabel } from "$lib/components/molecules";
+  import type { CategoryInfo } from "$lib/modules/filesystem";
+  import type { SelectedCategory } from "./service";
+
+  interface Props {
+    info: Writable<CategoryInfo | null>;
+    menuIcon?: Component<SvelteHTMLElements["svg"]>;
+    onclick: (category: SelectedCategory) => void;
+    onMenuClick?: (category: SelectedCategory) => void;
+  }
+
+  let { info, menuIcon, onclick, onMenuClick }: Props = $props();
+
+  const openCategory = () => {
+    const { id, dataKey, dataKeyVersion, name } = $info as CategoryInfo;
+    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
+
+    onclick({ id, dataKey, dataKeyVersion, name });
+  };
+
+  const openMenu = () => {
+    const { id, dataKey, dataKeyVersion, name } = $info as CategoryInfo;
+    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
+
+    onMenuClick!({ id, dataKey, dataKeyVersion, name });
+  };
+</script>
+
+{#if $info}
+  <ActionEntryButton
+    class="h-12"
+    onclick={openCategory}
+    actionButtonIcon={menuIcon}
+    onActionButtonClick={openMenu}
+  >
+    <CategoryLabel name={$info.name!} />
+  </ActionEntryButton>
+{/if}

src/lib/components/molecules/Categories/index.ts

@@ -0,0 +1,2 @@
+export { default } from "./Categories.svelte";
+export * from "./service";

src/lib/components/molecules/Categories/service.ts

@@ -0,0 +1,6 @@
+export interface SelectedCategory {
+  id: number;
+  dataKey: CryptoKey;
+  dataKeyVersion: Date;
+  name: string;
+}

src/lib/components/molecules/IconEntryButton.svelte

@@ -0,0 +1,30 @@
+<script lang="ts">
+  import type { Component, Snippet } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+  import { EntryButton } from "$lib/components/atoms";
+  import { IconLabel } from "$lib/components/molecules";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    icon: Component<SvelteHTMLElements["svg"]>;
+    iconClass?: ClassValue;
+    onclick?: () => void;
+    textClass?: ClassValue;
+  }
+
+  let {
+    children,
+    class: className,
+    icon,
+    iconClass: iconClassName,
+    onclick,
+    textClass: textClassName,
+  }: Props = $props();
+</script>
+
+<EntryButton {onclick} class={className}>
+  <IconLabel {icon} class="h-full" iconClass={iconClassName} textClass={textClassName}>
+    {@render children()}
+  </IconLabel>
+</EntryButton>

src/lib/components/molecules/SubCategories.svelte

@@ -0,0 +1,67 @@
+<script lang="ts">
+  import type { Component } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+  import type { Writable } from "svelte/store";
+  import { Categories, IconEntryButton, type SelectedCategory } from "$lib/components/molecules";
+  import { getCategoryInfo, type CategoryInfo } from "$lib/modules/filesystem";
+  import { masterKeyStore } from "$lib/stores";
+
+  import IconAddCircle from "~icons/material-symbols/add-circle";
+
+  interface Props {
+    class?: ClassValue;
+    info: CategoryInfo;
+    onSubCategoryClick: (subCategory: SelectedCategory) => void;
+    onSubCategoryCreateClick: () => void;
+    onSubCategoryMenuClick?: (category: SelectedCategory) => void;
+    subCategoryCreatePosition?: "top" | "bottom";
+    subCategoryMenuIcon?: Component<SvelteHTMLElements["svg"]>;
+  }
+
+  let {
+    class: className,
+    info,
+    onSubCategoryClick,
+    onSubCategoryCreateClick,
+    onSubCategoryMenuClick,
+    subCategoryCreatePosition = "bottom",
+    subCategoryMenuIcon,
+  }: Props = $props();
+
+  let subCategories: Writable<CategoryInfo | null>[] = $state([]);
+
+  $effect(() => {
+    subCategories = info.subCategoryIds.map((id) =>
+      getCategoryInfo(id, $masterKeyStore?.get(1)?.key!),
+    );
+  });
+</script>
+
+<div class={["space-y-1", className]}>
+  {#snippet subCategoryCreate()}
+    <IconEntryButton
+      icon={IconAddCircle}
+      onclick={onSubCategoryCreateClick}
+      class="h-12 w-full"
+      iconClass="text-gray-600"
+      textClass="text-gray-700"
+    >
+      카테고리 추가하기
+    </IconEntryButton>
+  {/snippet}
+
+  {#if subCategoryCreatePosition === "top"}
+    {@render subCategoryCreate()}
+  {/if}
+  {#key info}
+    <Categories
+      categories={subCategories}
+      categoryMenuIcon={subCategoryMenuIcon}
+      onCategoryClick={onSubCategoryClick}
+      onCategoryMenuClick={onSubCategoryMenuClick}
+    />
+  {/key}
+  {#if subCategoryCreatePosition === "bottom"}
+    {@render subCategoryCreate()}
+  {/if}
+</div>

src/lib/components/molecules/TitledDiv.svelte

@@ -0,0 +1,43 @@
+<script lang="ts">
+  import type { Component, Snippet } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+  import { TitleLabel } from "$lib/components/molecules";
+
+  interface Props {
+    children?: Snippet;
+    childrenClass?: ClassValue;
+    class?: ClassValue;
+    description?: Snippet;
+    icon?: Component<SvelteHTMLElements["svg"]>;
+    title: Snippet;
+    titleClass?: ClassValue;
+  }
+
+  let {
+    children,
+    childrenClass: childrenClassName,
+    class: className,
+    description,
+    icon,
+    title,
+    titleClass: titleClassName,
+  }: Props = $props();
+</script>
+
+<div class={["space-y-4 py-4", className]}>
+  <div class="space-y-2 break-keep">
+    <TitleLabel {icon} textClass={titleClassName}>
+      {@render title()}
+    </TitleLabel>
+    {#if description}
+      <p>
+        {@render description()}
+      </p>
+    {/if}
+  </div>
+  {#if children}
+    <div class={childrenClassName}>
+      {@render children()}
+    </div>
+  {/if}
+</div>

src/lib/components/molecules/TopBar.svelte

@@ -0,0 +1,37 @@
+<script lang="ts">
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  import IconArrowBack from "~icons/material-symbols/arrow-back";
+
+  interface Props {
+    children?: Snippet;
+    class?: ClassValue;
+    onBackClick?: () => void;
+    title?: string;
+  }
+
+  let { children, class: className, onBackClick, title }: Props = $props();
+</script>
+
+<div
+  class={[
+    "sticky top-0 z-10 flex items-center justify-between gap-x-2 px-2 py-3 backdrop-blur-2xl",
+    className,
+  ]}
+>
+  <button
+    onclick={onBackClick || (() => history.back())}
+    class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-black active:bg-opacity-[0.04]"
+  >
+    <IconArrowBack class="text-2xl" />
+  </button>
+  {#if title}
+    <p class="flex-grow truncate text-center text-lg font-semibold">{title}</p>
+  {/if}
+  <div class="w-[2.3rem] flex-shrink-0">
+    {#if children}
+      {@render children()}
+    {/if}
+  </div>
+</div>

src/lib/components/molecules/index.ts

@@ -0,0 +1,9 @@
+export * from "./ActionModal.svelte";
+export { default as ActionModal } from "./ActionModal.svelte";
+export * from "./Categories";
+export { default as Categories } from "./Categories";
+export { default as IconEntryButton } from "./IconEntryButton.svelte";
+export * from "./labels";
+export { default as SubCategories } from "./SubCategories.svelte";
+export { default as TitledDiv } from "./TitledDiv.svelte";
+export { default as TopBar } from "./TopBar.svelte";

src/lib/components/molecules/labels/CategoryLabel.svelte

@@ -0,0 +1,28 @@
+<script lang="ts">
+  import type { ClassValue } from "svelte/elements";
+  import { IconLabel } from "$lib/components/molecules";
+
+  import IconCategory from "~icons/material-symbols/category";
+
+  interface Props {
+    class?: ClassValue;
+    name: string;
+    subtext?: string;
+    textClass?: ClassValue;
+  }
+
+  let { class: className, name, subtext, textClass: textClassName }: Props = $props();
+</script>
+
+{#snippet subtextSnippet()}
+  {subtext}
+{/snippet}
+
+<IconLabel
+  icon={IconCategory}
+  subtext={subtext ? subtextSnippet : undefined}
+  class={className}
+  textClass={textClassName}
+>
+  {name}
+</IconLabel>

src/lib/components/molecules/labels/DirectoryEntryLabel.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  import type { ClassValue } from "svelte/elements";
+  import { IconLabel } from "$lib/components/molecules";
+
+  import IconFolder from "~icons/material-symbols/folder";
+  import IconDraft from "~icons/material-symbols/draft";
+
+  interface Props {
+    class?: ClassValue;
+    name: string;
+    subtext?: string;
+    textClass?: ClassValue;
+    type: "directory" | "file";
+  }
+
+  let { class: className, name, subtext, textClass: textClassName, type }: Props = $props();
+</script>
+
+{#snippet subtextSnippet()}
+  {subtext}
+{/snippet}
+
+<IconLabel
+  icon={type === "directory" ? IconFolder : IconDraft}
+  iconClass={type === "file" ? "text-blue-400" : undefined}
+  subtext={subtext ? subtextSnippet : undefined}
+  class={className}
+  textClass={textClassName}
+>
+  {name}
+</IconLabel>

src/lib/components/molecules/labels/IconLabel.svelte

@@ -0,0 +1,38 @@
+<script lang="ts">
+  import type { Component, Snippet } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    icon: Component<SvelteHTMLElements["svg"]>;
+    iconClass?: ClassValue;
+    subtext?: Snippet;
+    textClass?: ClassValue;
+  }
+
+  let {
+    children,
+    class: className,
+    icon: Icon,
+    iconClass: iconClassName,
+    subtext,
+    textClass: textClassName,
+  }: Props = $props();
+</script>
+
+<div class={["flex items-center gap-x-4", className]}>
+  <div class={["flex-shrink-0 text-lg", iconClassName]}>
+    <Icon />
+  </div>
+  <div class="flex flex-grow flex-col overflow-x-hidden text-left">
+    <p class={["truncate font-medium", textClassName]}>
+      {@render children()}
+    </p>
+    {#if subtext}
+      <p class="truncate text-xs text-gray-800">
+        {@render subtext()}
+      </p>
+    {/if}
+  </div>
+</div>

src/lib/components/molecules/labels/TitleLabel.svelte

@@ -0,0 +1,24 @@
+<script lang="ts">
+  import type { Component, Snippet } from "svelte";
+  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+    icon?: Component<SvelteHTMLElements["svg"]>;
+    textClass?: ClassValue;
+  }
+
+  let { children, class: className, icon: Icon, textClass: textClassName }: Props = $props();
+</script>
+
+<div class={className}>
+  <div class="flex min-h-[10vh] items-center">
+    {#if Icon}
+      <Icon class="text-5xl text-gray-600" />
+    {/if}
+  </div>
+  <p class={["text-3xl font-bold", textClassName]}>
+    {@render children()}
+  </p>
+</div>

src/lib/components/molecules/labels/index.ts

@@ -0,0 +1,4 @@
+export { default as CategoryLabel } from "./CategoryLabel.svelte";
+export { default as DirectoryEntryLabel } from "./DirectoryEntryLabel.svelte";
+export { default as IconLabel } from "./IconLabel.svelte";
+export { default as TitleLabel } from "./TitleLabel.svelte";

src/lib/components/organisms/Category/Category.svelte

@@ -0,0 +1,107 @@
+<script lang="ts">
+  import { untrack } from "svelte";
+  import { get, type Writable } from "svelte/store";
+  import { CheckBox } from "$lib/components/atoms";
+  import { SubCategories, type SelectedCategory } from "$lib/components/molecules";
+  import { getFileInfo, type FileInfo, type CategoryInfo } from "$lib/modules/filesystem";
+  import { SortBy, sortEntries } from "$lib/modules/util";
+  import { masterKeyStore } from "$lib/stores";
+  import File from "./File.svelte";
+  import type { SelectedFile } from "./service";
+
+  import IconMoreVert from "~icons/material-symbols/more-vert";
+
+  interface Props {
+    info: CategoryInfo;
+    onFileClick: (file: SelectedFile) => void;
+    onFileRemoveClick: (file: SelectedFile) => void;
+    onSubCategoryClick: (subCategory: SelectedCategory) => void;
+    onSubCategoryCreateClick: () => void;
+    onSubCategoryMenuClick: (subCategory: SelectedCategory) => void;
+    sortBy?: SortBy;
+    isFileRecursive: boolean;
+  }
+
+  let {
+    info,
+    onFileClick,
+    onFileRemoveClick,
+    onSubCategoryClick,
+    onSubCategoryCreateClick,
+    onSubCategoryMenuClick,
+    sortBy = SortBy.NAME_ASC,
+    isFileRecursive = $bindable(),
+  }: Props = $props();
+
+  let files: { name?: string; info: Writable<FileInfo | null>; isRecursive: boolean }[] = $state(
+    [],
+  );
+
+  $effect(() => {
+    files =
+      info.files
+        ?.filter(({ isRecursive }) => isFileRecursive || !isRecursive)
+        .map(({ id, isRecursive }) => {
+          const info = getFileInfo(id, $masterKeyStore?.get(1)?.key!);
+          return {
+            name: get(info)?.name,
+            info,
+            isRecursive,
+          };
+        }) ?? [];
+
+    const sort = () => {
+      sortEntries(files, sortBy);
+    };
+    return untrack(() => {
+      sort();
+
+      const unsubscribes = files.map((file) =>
+        file.info.subscribe((value) => {
+          if (file.name === value?.name) return;
+          file.name = value?.name;
+          sort();
+        }),
+      );
+      return () => unsubscribes.forEach((unsubscribe) => unsubscribe());
+    });
+  });
+</script>
+
+<div class="space-y-4">
+  <div class="space-y-4 bg-white p-4">
+    {#if info.id !== "root"}
+      <p class="text-lg font-bold text-gray-800">하위 카테고리</p>
+    {/if}
+    <SubCategories
+      {info}
+      {onSubCategoryClick}
+      {onSubCategoryCreateClick}
+      {onSubCategoryMenuClick}
+      subCategoryMenuIcon={IconMoreVert}
+    />
+  </div>
+  {#if info.id !== "root"}
+    <div class="space-y-4 bg-white p-4">
+      <div class="flex items-center justify-between">
+        <p class="text-lg font-bold text-gray-800">파일</p>
+        <CheckBox bind:checked={isFileRecursive}>
+          <p class="font-medium">하위 카테고리의 파일</p>
+        </CheckBox>
+      </div>
+      <div class="space-y-1">
+        {#key info}
+          {#each files as { info, isRecursive }}
+            <File
+              {info}
+              onclick={onFileClick}
+              onRemoveClick={!isRecursive ? onFileRemoveClick : undefined}
+            />
+          {:else}
+            <p class="text-gray-500 text-center">이 카테고리에 추가된 파일이 없어요.</p>
+          {/each}
+        {/key}
+      </div>
+    </div>
+  {/if}
+</div>

src/lib/components/organisms/Category/File.svelte

@@ -0,0 +1,42 @@
+<script lang="ts">
+  import type { Writable } from "svelte/store";
+  import { ActionEntryButton } from "$lib/components/atoms";
+  import { DirectoryEntryLabel } from "$lib/components/molecules";
+  import type { FileInfo } from "$lib/modules/filesystem";
+  import type { SelectedFile } from "./service";
+
+  import IconClose from "~icons/material-symbols/close";
+
+  interface Props {
+    info: Writable<FileInfo | null>;
+    onclick: (selectedFile: SelectedFile) => void;
+    onRemoveClick?: (selectedFile: SelectedFile) => void;
+  }
+
+  let { info, onclick, onRemoveClick }: Props = $props();
+
+  const openFile = () => {
+    const { id, dataKey, dataKeyVersion, name } = $info as FileInfo;
+    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
+
+    onclick({ id, dataKey, dataKeyVersion, name });
+  };
+
+  const removeFile = () => {
+    const { id, dataKey, dataKeyVersion, name } = $info as FileInfo;
+    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
+
+    onRemoveClick!({ id, dataKey, dataKeyVersion, name });
+  };
+</script>
+
+{#if $info}
+  <ActionEntryButton
+    class="h-12"
+    onclick={openFile}
+    actionButtonIcon={onRemoveClick && IconClose}
+    onActionButtonClick={removeFile}
+  >
+    <DirectoryEntryLabel type="file" name={$info.name} />
+  </ActionEntryButton>
+{/if}

src/lib/components/organisms/Category/index.ts

@@ -0,0 +1,2 @@
+export { default } from "./Category.svelte";
+export * from "./service";

src/lib/components/organisms/Category/service.ts

@@ -0,0 +1,6 @@
+export interface SelectedFile {
+  id: number;
+  dataKey: CryptoKey;
+  dataKeyVersion: Date;
+  name: string;
+}

src/lib/components/organisms/index.ts

@@ -0,0 +1,3 @@
+export * from "./Category";
+export { default as Category } from "./Category";
+export * from "./modals";

src/lib/components/organisms/modals/CategoryCreateModal.svelte

@@ -0,0 +1,18 @@
+<script lang="ts">
+  import { TextInputModal } from "$lib/components/organisms";
+
+  interface Props {
+    isOpen: boolean;
+    onCreateClick: (name: string) => Promise<boolean>;
+  }
+
+  let { isOpen = $bindable(), onCreateClick }: Props = $props();
+</script>
+
+<TextInputModal
+  bind:isOpen
+  title="새 카테고리"
+  placeholder="카테고리 이름"
+  submitText="만들기"
+  onSubmitClick={onCreateClick}
+/>

src/lib/components/organisms/modals/RenameModal.svelte

@@ -0,0 +1,22 @@
+<script lang="ts">
+  import { TextInputModal } from "$lib/components/organisms";
+
+  interface Props {
+    isOpen: boolean;
+    onbeforeclose?: () => void;
+    onRenameClick: (newName: string) => Promise<boolean>;
+    originalName: string | undefined;
+  }
+
+  let { isOpen = $bindable(), onbeforeclose, onRenameClick, originalName }: Props = $props();
+</script>
+
+<TextInputModal
+  bind:isOpen
+  {onbeforeclose}
+  title="이름 바꾸기"
+  placeholder="이름"
+  defaultValue={originalName}
+  submitText="바꾸기"
+  onSubmitClick={onRenameClick}
+/>

src/lib/components/organisms/modals/TextInputModal.svelte

@@ -0,0 +1,42 @@
+<script lang="ts">
+  import { TextInput } from "$lib/components/atoms";
+  import { ActionModal, type ConfirmHandler } from "$lib/components/molecules";
+
+  interface Props {
+    defaultValue?: string;
+    isOpen: boolean;
+    onbeforeclose?: () => void;
+    onSubmitClick: (value: string) => ReturnType<ConfirmHandler>;
+    placeholder: string;
+    submitText: string;
+    title: string;
+  }
+
+  let {
+    defaultValue = "",
+    isOpen = $bindable(),
+    onbeforeclose,
+    onSubmitClick,
+    placeholder,
+    submitText,
+    title,
+  }: Props = $props();
+
+  let value = $state("");
+
+  $effect.pre(() => {
+    if (isOpen) {
+      value = defaultValue;
+    }
+  });
+</script>
+
+<ActionModal
+  bind:isOpen
+  {onbeforeclose}
+  {title}
+  confirmText={submitText}
+  onConfirmClick={() => onSubmitClick(value)}
+>
+  <TextInput bind:value {placeholder} class="mb-3" />
+</ActionModal>

src/lib/components/organisms/modals/index.ts

@@ -0,0 +1,3 @@
+export { default as CategoryCreateModal } from "./CategoryCreateModal.svelte";
+export { default as RenameModal } from "./RenameModal.svelte";
+export { default as TextInputModal } from "./TextInputModal.svelte";

src/lib/indexedDB/filesystem.ts

@@ -15,16 +15,28 @@ interface FileInfo {
   contentType: string;
   createdAt?: Date;
   lastModifiedAt: Date;
+  categoryIds: number[];
+}
+
+export type CategoryId = "root" | number;
+
+interface CategoryInfo {
+  id: number;
+  parentId: CategoryId;
+  name: string;
+  files: { id: number; isRecursive: boolean }[];
 }
 
 const filesystem = new Dexie("filesystem") as Dexie & {
   directory: EntityTable<DirectoryInfo, "id">;
   file: EntityTable<FileInfo, "id">;
+  category: EntityTable<CategoryInfo, "id">;
 };
 
-filesystem.version(1).stores({
+filesystem.version(2).stores({
   directory: "id, parentId",
   file: "id, parentId",
+  category: "id, parentId",
 });
 
 export const getDirectoryInfos = async (parentId: DirectoryId) => {
@@ -59,13 +71,29 @@ export const deleteFileInfo = async (id: number) => {
   await filesystem.file.delete(id);
 };
 
+export const getCategoryInfos = async (parentId: CategoryId) => {
+  return await filesystem.category.where({ parentId }).toArray();
+};
+
+export const getCategoryInfo = async (id: number) => {
+  return await filesystem.category.get(id);
+};
+
+export const storeCategoryInfo = async (categoryInfo: CategoryInfo) => {
+  await filesystem.category.put(categoryInfo);
+};
+
+export const deleteCategoryInfo = async (id: number) => {
+  await filesystem.category.delete(id);
+};
+
 export const cleanupDanglingInfos = async () => {
   const validDirectoryIds: number[] = [];
   const validFileIds: number[] = [];
-  const queue: DirectoryId[] = ["root"];
+  const directoryQueue: DirectoryId[] = ["root"];
 
   while (true) {
-    const directoryId = queue.shift();
+    const directoryId = directoryQueue.shift();
     if (!directoryId) break;
 
     const [subDirectories, files] = await Promise.all([
@@ -74,13 +102,28 @@ export const cleanupDanglingInfos = async () => {
     ]);
     subDirectories.forEach(({ id }) => {
       validDirectoryIds.push(id);
-      queue.push(id);
+      directoryQueue.push(id);
     });
     files.forEach(({ id }) => validFileIds.push(id));
   }
 
+  const validCategoryIds: number[] = [];
+  const categoryQueue: CategoryId[] = ["root"];
+
+  while (true) {
+    const categoryId = categoryQueue.shift();
+    if (!categoryId) break;
+
+    const subCategories = await filesystem.category.where({ parentId: categoryId }).toArray();
+    subCategories.forEach(({ id }) => {
+      validCategoryIds.push(id);
+      categoryQueue.push(id);
+    });
+  }
+
   await Promise.all([
     filesystem.directory.where("id").noneOf(validDirectoryIds).delete(),
     filesystem.file.where("id").noneOf(validFileIds).delete(),
+    filesystem.category.where("id").noneOf(validCategoryIds).delete(),
   ]);
 };

src/lib/modules/file/upload.ts

@@ -8,12 +8,14 @@ import {
   wrapDataKey,
   encryptData,
   encryptString,
+  digestMessage,
   signMessageHmac,
 } from "$lib/modules/crypto";
 import type {
   DuplicateFileScanRequest,
   DuplicateFileScanResponse,
   FileUploadRequest,
+  FileUploadResponse,
 } from "$lib/server/schemas";
 import {
   fileUploadStatusStore,
@@ -97,6 +99,8 @@ const encryptFile = limitFunction(
     const dataKeyWrapped = await wrapDataKey(dataKey, masterKey.key);
 
     const fileEncrypted = await encryptData(fileBuffer, dataKey);
+    const fileEncryptedHash = encodeToBase64(await digestMessage(fileEncrypted.ciphertext));
+
     const nameEncrypted = await encryptString(file.name, dataKey);
     const createdAtEncrypted =
       createdAt && (await encryptString(createdAt.getTime().toString(), dataKey));
@@ -110,8 +114,9 @@ const encryptFile = limitFunction(
     return {
       dataKeyWrapped,
       dataKeyVersion,
-      fileEncrypted,
       fileType,
+      fileEncrypted,
+      fileEncryptedHash,
       nameEncrypted,
       createdAtEncrypted,
       lastModifiedAtEncrypted,
@@ -127,7 +132,7 @@ const requestFileUpload = limitFunction(
       return value;
     });
 
-    await axios.post("/api/file/upload", form, {
+    const res = await axios.post("/api/file/upload", form, {
       onUploadProgress: ({ progress, rate, estimated }) => {
         status.update((value) => {
           value.progress = progress;
@@ -137,11 +142,14 @@ const requestFileUpload = limitFunction(
         });
       },
     });
+    const { file }: FileUploadResponse = res.data;
 
     status.update((value) => {
       value.status = "uploaded";
       return value;
     });
+
+    return { fileId: file };
   },
   { concurrency: 1 },
 );
@@ -152,7 +160,7 @@ export const uploadFile = async (
   hmacSecret: HmacSecret,
   masterKey: MasterKey,
   onDuplicate: () => Promise<boolean>,
-) => {
+): Promise<{ fileId: number; fileBuffer: ArrayBuffer } | undefined> => {
   const status = writable<FileUploadStatus>({
     name: file.name,
     parentId,
@@ -178,14 +186,15 @@ export const uploadFile = async (
         value = value.filter((v) => v !== status);
         return value;
       });
-      return false;
+      return undefined;
     }
 
     const {
       dataKeyWrapped,
       dataKeyVersion,
-      fileEncrypted,
       fileType,
+      fileEncrypted,
+      fileEncryptedHash,
       nameEncrypted,
       createdAtEncrypted,
       lastModifiedAtEncrypted,
@@ -212,9 +221,10 @@ export const uploadFile = async (
       } as FileUploadRequest),
     );
     form.set("content", new Blob([fileEncrypted.ciphertext]));
+    form.set("checksum", fileEncryptedHash);
 
-    await requestFileUpload(status, form);
-    return true;
+    const { fileId } = await requestFileUpload(status, form);
+    return { fileId, fileBuffer };
   } catch (e) {
     status.update((value) => {
       value.status = "error";

src/lib/modules/filesystem.ts

@@ -9,10 +9,20 @@ import {
   getFileInfo as getFileInfoFromIndexedDB,
   storeFileInfo,
   deleteFileInfo,
+  getCategoryInfos as getCategoryInfosFromIndexedDB,
+  getCategoryInfo as getCategoryInfoFromIndexedDB,
+  storeCategoryInfo,
+  deleteCategoryInfo,
   type DirectoryId,
+  type CategoryId,
 } from "$lib/indexedDB";
 import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
-import type { DirectoryInfoResponse, FileInfoResponse } from "$lib/server/schemas";
+import type {
+  CategoryInfoResponse,
+  CategoryFileListResponse,
+  DirectoryInfoResponse,
+  FileInfoResponse,
+} from "$lib/server/schemas";
 
 export type DirectoryInfo =
   | {
@@ -41,10 +51,30 @@ export interface FileInfo {
   name: string;
   createdAt?: Date;
   lastModifiedAt: Date;
+  categoryIds: number[];
 }
 
+export type CategoryInfo =
+  | {
+      id: "root";
+      dataKey?: undefined;
+      dataKeyVersion?: undefined;
+      name?: undefined;
+      subCategoryIds: number[];
+      files?: undefined;
+    }
+  | {
+      id: number;
+      dataKey?: CryptoKey;
+      dataKeyVersion?: Date;
+      name: string;
+      subCategoryIds: number[];
+      files: { id: number; isRecursive: boolean }[];
+    };
+
 const directoryInfoStore = new Map<DirectoryId, Writable<DirectoryInfo | null>>();
 const fileInfoStore = new Map<number, Writable<FileInfo | null>>();
+const categoryInfoStore = new Map<CategoryId, Writable<CategoryInfo | null>>();
 
 const fetchDirectoryInfoFromIndexedDB = async (
   id: DirectoryId,
@@ -77,6 +107,7 @@ const fetchDirectoryInfoFromServer = async (
   if (res.status === 404) {
     info.set(null);
     await deleteDirectoryInfo(id as number);
+    return;
   } else if (!res.ok) {
     throw new Error("Failed to fetch directory information");
   }
@@ -123,7 +154,7 @@ export const getDirectoryInfo = (id: DirectoryId, masterKey: CryptoKey) => {
     directoryInfoStore.set(id, info);
   }
 
-  fetchDirectoryInfo(id, info, masterKey);
+  fetchDirectoryInfo(id, info, masterKey); // Intended
   return info;
 };
 
@@ -149,6 +180,7 @@ const fetchFileInfoFromServer = async (
   if (res.status === 404) {
     info.set(null);
     await deleteFileInfo(id);
+    return;
   } else if (!res.ok) {
     throw new Error("Failed to fetch file information");
   }
@@ -176,6 +208,7 @@ const fetchFileInfoFromServer = async (
     name,
     createdAt,
     lastModifiedAt,
+    categoryIds: metadata.categories,
   });
   await storeFileInfo({
     id,
@@ -184,6 +217,7 @@ const fetchFileInfoFromServer = async (
     contentType: metadata.contentType,
     createdAt,
     lastModifiedAt,
+    categoryIds: metadata.categories,
   });
 };
 
@@ -201,6 +235,95 @@ export const getFileInfo = (fileId: number, masterKey: CryptoKey) => {
     fileInfoStore.set(fileId, info);
   }
 
-  fetchFileInfo(fileId, info, masterKey);
+  fetchFileInfo(fileId, info, masterKey); // Intended
+  return info;
+};
+
+const fetchCategoryInfoFromIndexedDB = async (
+  id: CategoryId,
+  info: Writable<CategoryInfo | null>,
+) => {
+  if (get(info)) return;
+
+  const [category, subCategories] = await Promise.all([
+    id !== "root" ? getCategoryInfoFromIndexedDB(id) : undefined,
+    getCategoryInfosFromIndexedDB(id),
+  ]);
+  const subCategoryIds = subCategories.map(({ id }) => id);
+
+  if (id === "root") {
+    info.set({ id, subCategoryIds });
+  } else {
+    if (!category) return;
+    info.set({ id, name: category.name, subCategoryIds, files: category.files });
+  }
+};
+
+const fetchCategoryInfoFromServer = async (
+  id: CategoryId,
+  info: Writable<CategoryInfo | null>,
+  masterKey: CryptoKey,
+) => {
+  let res = await callGetApi(`/api/category/${id}`);
+  if (res.status === 404) {
+    info.set(null);
+    await deleteCategoryInfo(id as number);
+    return;
+  } else if (!res.ok) {
+    throw new Error("Failed to fetch category information");
+  }
+
+  const { metadata, subCategories }: CategoryInfoResponse = await res.json();
+
+  if (id === "root") {
+    info.set({ id, subCategoryIds: subCategories });
+  } else {
+    const { dataKey } = await unwrapDataKey(metadata!.dek, masterKey);
+    const name = await decryptString(metadata!.name, metadata!.nameIv, dataKey);
+
+    res = await callGetApi(`/api/category/${id}/file/list?recurse=true`);
+    if (!res.ok) {
+      throw new Error("Failed to fetch category files");
+    }
+
+    const { files }: CategoryFileListResponse = await res.json();
+    const filesMapped = files.map(({ file, isRecursive }) => ({ id: file, isRecursive }));
+
+    info.set({
+      id,
+      dataKey,
+      dataKeyVersion: new Date(metadata!.dekVersion),
+      name,
+      subCategoryIds: subCategories,
+      files: filesMapped,
+    });
+    await storeCategoryInfo({
+      id,
+      parentId: metadata!.parent,
+      name,
+      files: filesMapped,
+    });
+  }
+};
+
+const fetchCategoryInfo = async (
+  id: CategoryId,
+  info: Writable<CategoryInfo | null>,
+  masterKey: CryptoKey,
+) => {
+  await fetchCategoryInfoFromIndexedDB(id, info);
+  await fetchCategoryInfoFromServer(id, info, masterKey);
+};
+
+export const getCategoryInfo = (categoryId: CategoryId, masterKey: CryptoKey) => {
+  // TODO: MEK rotation
+
+  let info = categoryInfoStore.get(categoryId);
+  if (!info) {
+    info = writable(null);
+    categoryInfoStore.set(categoryId, info);
+  }
+
+  fetchCategoryInfo(categoryId, info, masterKey); // Intended
   return info;
 };

src/lib/modules/util.ts

@@ -27,3 +27,37 @@ export const formatNetworkSpeed = (speed: number) => {
   if (speed < 1000 * 1000 * 1000) return `${(speed / 1000 / 1000).toFixed(1)} Mbps`;
   return `${(speed / 1000 / 1000 / 1000).toFixed(1)} Gbps`;
 };
+
+export const truncateString = (str: string, maxLength = 20) => {
+  if (str.length <= maxLength) return str;
+  return `${str.slice(0, maxLength)}...`;
+};
+
+export enum SortBy {
+  NAME_ASC,
+  NAME_DESC,
+}
+
+type SortFunc = (a?: string, b?: string) => number;
+
+const collator = new Intl.Collator(undefined, { numeric: true, sensitivity: "base" });
+
+const sortByNameAsc: SortFunc = (a, b) => {
+  if (a && b) return collator.compare(a, b);
+  if (a) return -1;
+  if (b) return 1;
+  return 0;
+};
+
+const sortByNameDesc: SortFunc = (a, b) => -sortByNameAsc(a, b);
+
+export const sortEntries = <T extends { name?: string }>(entries: T[], sortBy: SortBy) => {
+  let sortFunc: SortFunc;
+  if (sortBy === SortBy.NAME_ASC) {
+    sortFunc = sortByNameAsc;
+  } else {
+    sortFunc = sortByNameDesc;
+  }
+
+  entries.sort((a, b) => sortFunc(a.name, b.name));
+};

src/lib/server/db/category.ts

@@ -0,0 +1,147 @@
+import { IntegrityError } from "./error";
+import db from "./kysely";
+import type { Ciphertext } from "./schema";
+
+export type CategoryId = "root" | number;
+
+interface Category {
+  id: number;
+  parentId: CategoryId;
+  userId: number;
+  mekVersion: number;
+  encDek: string;
+  dekVersion: Date;
+  encName: Ciphertext;
+}
+
+export type NewCategory = Omit<Category, "id">;
+
+export const registerCategory = async (params: NewCategory) => {
+  await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
+
+    const { categoryId } = await trx
+      .insertInto("category")
+      .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
+        master_encryption_key_version: params.mekVersion,
+        encrypted_data_encryption_key: params.encDek,
+        data_encryption_key_version: params.dekVersion,
+        encrypted_name: params.encName,
+      })
+      .returning("id as categoryId")
+      .executeTakeFirstOrThrow();
+    await trx
+      .insertInto("category_log")
+      .values({
+        category_id: categoryId,
+        timestamp: new Date(),
+        action: "create",
+        new_name: params.encName,
+      })
+      .execute();
+  });
+};
+
+export const getAllCategoriesByParent = async (userId: number, parentId: CategoryId) => {
+  let query = db.selectFrom("category").selectAll().where("user_id", "=", userId);
+  query =
+    parentId === "root"
+      ? query.where("parent_id", "is", null)
+      : query.where("parent_id", "=", parentId);
+  const categories = await query.execute();
+  return categories.map(
+    (category) =>
+      ({
+        id: category.id,
+        parentId: category.parent_id ?? "root",
+        userId: category.user_id,
+        mekVersion: category.master_encryption_key_version,
+        encDek: category.encrypted_data_encryption_key,
+        dekVersion: category.data_encryption_key_version,
+        encName: category.encrypted_name,
+      }) satisfies Category,
+  );
+};
+
+export const getCategory = async (userId: number, categoryId: number) => {
+  const category = await db
+    .selectFrom("category")
+    .selectAll()
+    .where("id", "=", categoryId)
+    .where("user_id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return category
+    ? ({
+        id: category.id,
+        parentId: category.parent_id ?? "root",
+        userId: category.user_id,
+        mekVersion: category.master_encryption_key_version,
+        encDek: category.encrypted_data_encryption_key,
+        dekVersion: category.data_encryption_key_version,
+        encName: category.encrypted_name,
+      } satisfies Category)
+    : null;
+};
+
+export const setCategoryEncName = async (
+  userId: number,
+  categoryId: number,
+  dekVersion: Date,
+  encName: Ciphertext,
+) => {
+  await db.transaction().execute(async (trx) => {
+    const category = await trx
+      .selectFrom("category")
+      .select("data_encryption_key_version")
+      .where("id", "=", categoryId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!category) {
+      throw new IntegrityError("Category not found");
+    } else if (category.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
+
+    await trx
+      .updateTable("category")
+      .set({ encrypted_name: encName })
+      .where("id", "=", categoryId)
+      .where("user_id", "=", userId)
+      .execute();
+    await trx
+      .insertInto("category_log")
+      .values({
+        category_id: categoryId,
+        timestamp: new Date(),
+        action: "rename",
+        new_name: encName,
+      })
+      .execute();
+  });
+};
+
+export const unregisterCategory = async (userId: number, categoryId: number) => {
+  const res = await db
+    .deleteFrom("category")
+    .where("id", "=", categoryId)
+    .where("user_id", "=", userId)
+    .executeTakeFirst();
+  if (res.numDeletedRows === 0n) {
+    throw new IntegrityError("Category not found");
+  }
+};

src/lib/server/db/client.ts

@@ -1,53 +1,97 @@
-import { SqliteError } from "better-sqlite3";
-import { and, or, eq, gt, lte } from "drizzle-orm";
-import db from "./drizzle";
+import pg from "pg";
 import { IntegrityError } from "./error";
-import { client, userClient, userClientChallenge } from "./schema";
+import db from "./kysely";
+import type { UserClientState } from "./schema";
+
+interface Client {
+  id: number;
+  encPubKey: string;
+  sigPubKey: string;
+}
+
+interface UserClient {
+  userId: number;
+  clientId: number;
+  state: UserClientState;
+}
+
+interface UserClientWithDetails extends UserClient {
+  encPubKey: string;
+  sigPubKey: string;
+}
 
 export const createClient = async (encPubKey: string, sigPubKey: string, userId: number) => {
-  return await db.transaction(
-    async (tx) => {
-      const clients = await tx
-        .select({ id: client.id })
-        .from(client)
-        .where(or(eq(client.encPubKey, sigPubKey), eq(client.sigPubKey, encPubKey)))
-        .limit(1);
-      if (clients.length !== 0) {
+  return await db
+    .transaction()
+    .setIsolationLevel("serializable")
+    .execute(async (trx) => {
+      const client = await trx
+        .selectFrom("client")
+        .where((eb) =>
+          eb.or([
+            eb("encryption_public_key", "=", encPubKey),
+            eb("encryption_public_key", "=", sigPubKey),
+            eb("signature_public_key", "=", encPubKey),
+            eb("signature_public_key", "=", sigPubKey),
+          ]),
+        )
+        .limit(1)
+        .executeTakeFirst();
+      if (client) {
         throw new IntegrityError("Public key(s) already registered");
       }
 
-      const newClients = await tx
-        .insert(client)
-        .values({ encPubKey, sigPubKey })
-        .returning({ id: client.id });
-      const { id: clientId } = newClients[0]!;
-      await tx.insert(userClient).values({ userId, clientId });
-
-      return clientId;
-    },
-    { behavior: "exclusive" },
-  );
+      const { clientId } = await trx
+        .insertInto("client")
+        .values({ encryption_public_key: encPubKey, signature_public_key: sigPubKey })
+        .returning("id as clientId")
+        .executeTakeFirstOrThrow();
+      await trx
+        .insertInto("user_client")
+        .values({ user_id: userId, client_id: clientId })
+        .execute();
+      return { id: clientId };
+    });
 };
 
 export const getClient = async (clientId: number) => {
-  const clients = await db.select().from(client).where(eq(client.id, clientId)).limit(1);
-  return clients[0] ?? null;
+  const client = await db
+    .selectFrom("client")
+    .selectAll()
+    .where("id", "=", clientId)
+    .limit(1)
+    .executeTakeFirst();
+  return client
+    ? ({
+        id: client.id,
+        encPubKey: client.encryption_public_key,
+        sigPubKey: client.signature_public_key,
+      } satisfies Client)
+    : null;
 };
 
 export const getClientByPubKeys = async (encPubKey: string, sigPubKey: string) => {
-  const clients = await db
-    .select()
-    .from(client)
-    .where(and(eq(client.encPubKey, encPubKey), eq(client.sigPubKey, sigPubKey)))
-    .limit(1);
-  return clients[0] ?? null;
+  const client = await db
+    .selectFrom("client")
+    .selectAll()
+    .where("encryption_public_key", "=", encPubKey)
+    .where("signature_public_key", "=", sigPubKey)
+    .limit(1)
+    .executeTakeFirst();
+  return client
+    ? ({
+        id: client.id,
+        encPubKey: client.encryption_public_key,
+        sigPubKey: client.signature_public_key,
+      } satisfies Client)
+    : null;
 };
 
 export const createUserClient = async (userId: number, clientId: number) => {
   try {
-    await db.insert(userClient).values({ userId, clientId });
+    await db.insertInto("user_client").values({ user_id: userId, client_id: clientId }).execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
+    if (e instanceof pg.DatabaseError && e.code === "23505") {
       throw new IntegrityError("User client already exists");
     }
     throw e;
@@ -55,52 +99,76 @@ export const createUserClient = async (userId: number, clientId: number) => {
 };
 
 export const getAllUserClients = async (userId: number) => {
-  return await db.select().from(userClient).where(eq(userClient.userId, userId));
+  const userClients = await db
+    .selectFrom("user_client")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .execute();
+  return userClients.map(
+    ({ user_id, client_id, state }) =>
+      ({
+        userId: user_id,
+        clientId: client_id,
+        state,
+      }) satisfies UserClient,
+  );
 };
 
 export const getUserClient = async (userId: number, clientId: number) => {
-  const userClients = await db
-    .select()
-    .from(userClient)
-    .where(and(eq(userClient.userId, userId), eq(userClient.clientId, clientId)))
-    .limit(1);
-  return userClients[0] ?? null;
+  const userClient = await db
+    .selectFrom("user_client")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .where("client_id", "=", clientId)
+    .limit(1)
+    .executeTakeFirst();
+  return userClient
+    ? ({
+        userId: userClient.user_id,
+        clientId: userClient.client_id,
+        state: userClient.state,
+      } satisfies UserClient)
+    : null;
 };
 
 export const getUserClientWithDetails = async (userId: number, clientId: number) => {
-  const userClients = await db
-    .select()
-    .from(userClient)
-    .innerJoin(client, eq(userClient.clientId, client.id))
-    .where(and(eq(userClient.userId, userId), eq(userClient.clientId, clientId)))
-    .limit(1);
-  return userClients[0] ?? null;
+  const userClient = await db
+    .selectFrom("user_client")
+    .innerJoin("client", "user_client.client_id", "client.id")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .where("client_id", "=", clientId)
+    .limit(1)
+    .executeTakeFirst();
+  return userClient
+    ? ({
+        userId: userClient.user_id,
+        clientId: userClient.client_id,
+        state: userClient.state,
+        encPubKey: userClient.encryption_public_key,
+        sigPubKey: userClient.signature_public_key,
+      } satisfies UserClientWithDetails)
+    : null;
 };
 
 export const setUserClientStateToPending = async (userId: number, clientId: number) => {
   await db
-    .update(userClient)
+    .updateTable("user_client")
     .set({ state: "pending" })
-    .where(
-      and(
-        eq(userClient.userId, userId),
-        eq(userClient.clientId, clientId),
-        eq(userClient.state, "challenging"),
-      ),
-    );
+    .where("user_id", "=", userId)
+    .where("client_id", "=", clientId)
+    .where("state", "=", "challenging")
+    .execute();
 };
 
 export const setUserClientStateToActive = async (userId: number, clientId: number) => {
   await db
-    .update(userClient)
+    .updateTable("user_client")
     .set({ state: "active" })
-    .where(
-      and(
-        eq(userClient.userId, userId),
-        eq(userClient.clientId, clientId),
-        eq(userClient.state, "pending"),
-      ),
-    );
+    .where("user_id", "=", userId)
+    .where("client_id", "=", clientId)
+    .where("state", "=", "pending")
+    .execute();
 };
 
 export const registerUserClientChallenge = async (
@@ -110,30 +178,30 @@ export const registerUserClientChallenge = async (
   allowedIp: string,
   expiresAt: Date,
 ) => {
-  await db.insert(userClientChallenge).values({
-    userId,
-    clientId,
-    answer,
-    allowedIp,
-    expiresAt,
-  });
+  await db
+    .insertInto("user_client_challenge")
+    .values({
+      user_id: userId,
+      client_id: clientId,
+      answer,
+      allowed_ip: allowedIp,
+      expires_at: expiresAt,
+    })
+    .execute();
 };
 
 export const consumeUserClientChallenge = async (userId: number, answer: string, ip: string) => {
-  const challenges = await db
-    .delete(userClientChallenge)
-    .where(
-      and(
-        eq(userClientChallenge.userId, userId),
-        eq(userClientChallenge.answer, answer),
-        eq(userClientChallenge.allowedIp, ip),
-        gt(userClientChallenge.expiresAt, new Date()),
-      ),
-    )
-    .returning({ clientId: userClientChallenge.clientId });
-  return challenges[0] ?? null;
+  const challenge = await db
+    .deleteFrom("user_client_challenge")
+    .where("user_id", "=", userId)
+    .where("answer", "=", answer)
+    .where("allowed_ip", "=", ip)
+    .where("expires_at", ">", new Date())
+    .returning("client_id")
+    .executeTakeFirst();
+  return challenge ? { clientId: challenge.client_id } : null;
 };
 
 export const cleanupExpiredUserClientChallenges = async () => {
-  await db.delete(userClientChallenge).where(lte(userClientChallenge.expiresAt, new Date()));
+  await db.deleteFrom("user_client_challenge").where("expires_at", "<=", new Date()).execute();
 };

src/lib/server/db/drizzle.ts

@@ -1,15 +0,0 @@
-import Database from "better-sqlite3";
-import { drizzle } from "drizzle-orm/better-sqlite3";
-import { migrate } from "drizzle-orm/better-sqlite3/migrator";
-import env from "$lib/server/loadenv";
-
-const client = new Database(env.databaseUrl);
-const db = drizzle(client);
-
-export const migrateDB = () => {
-  if (process.env.NODE_ENV === "production") {
-    migrate(db, { migrationsFolder: "./drizzle" });
-  }
-};
-
-export default db;

src/lib/server/db/error.ts

@@ -1,4 +1,6 @@
 type IntegrityErrorMessages =
+  // Category
+  | "Category not found"
   // Challenge
   | "Challenge already registered"
   // Client
@@ -7,6 +9,8 @@ type IntegrityErrorMessages =
   // File
   | "Directory not found"
   | "File not found"
+  | "File not found in category"
+  | "File already added to category"
   | "Invalid DEK version"
   // HSK
   | "HSK already registered"

src/lib/server/db/file.ts

@@ -1,21 +1,25 @@
-import { and, eq, isNull } from "drizzle-orm";
-import db from "./drizzle";
+import { sql, type NotNull } from "kysely";
+import pg from "pg";
 import { IntegrityError } from "./error";
-import { directory, directoryLog, file, fileLog, hsk, mek } from "./schema";
+import db from "./kysely";
+import type { Ciphertext } from "./schema";
 
-type DirectoryId = "root" | number;
+export type DirectoryId = "root" | number;
 
-export interface NewDirectoryParams {
+interface Directory {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   mekVersion: number;
   encDek: string;
   dekVersion: Date;
-  encName: string;
-  encNameIv: string;
+  encName: Ciphertext;
 }
 
-export interface NewFileParams {
+export type NewDirectory = Omit<Directory, "id">;
+
+interface File {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   path: string;
@@ -26,216 +30,306 @@ export interface NewFileParams {
   contentHmac: string | null;
   contentType: string;
   encContentIv: string;
-  encName: string;
-  encNameIv: string;
-  encCreatedAt: string | null;
-  encCreatedAtIv: string | null;
-  encLastModifiedAt: string;
-  encLastModifiedAtIv: string;
+  encContentHash: string;
+  encName: Ciphertext;
+  encCreatedAt: Ciphertext | null;
+  encLastModifiedAt: Ciphertext;
 }
 
-export const registerDirectory = async (params: NewDirectoryParams) => {
-  await db.transaction(
-    async (tx) => {
-      const meks = await tx
-        .select({ version: mek.version })
-        .from(mek)
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
-        .limit(1);
-      if (meks[0]?.version !== params.mekVersion) {
-        throw new IntegrityError("Inactive MEK version");
-      }
+export type NewFile = Omit<File, "id">;
 
-      const newDirectories = await tx
-        .insert(directory)
-        .values({
-          parentId: params.parentId === "root" ? null : params.parentId,
-          userId: params.userId,
-          mekVersion: params.mekVersion,
-          encDek: params.encDek,
-          dekVersion: params.dekVersion,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
-        })
-        .returning({ id: directory.id });
-      const { id: directoryId } = newDirectories[0]!;
-      await tx.insert(directoryLog).values({
-        directoryId,
+export const registerDirectory = async (params: NewDirectory) => {
+  await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
+
+    const { directoryId } = await trx
+      .insertInto("directory")
+      .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
+        master_encryption_key_version: params.mekVersion,
+        encrypted_data_encryption_key: params.encDek,
+        data_encryption_key_version: params.dekVersion,
+        encrypted_name: params.encName,
+      })
+      .returning("id as directoryId")
+      .executeTakeFirstOrThrow();
+    await trx
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: params.encName,
+      })
+      .execute();
+  });
 };
 
 export const getAllDirectoriesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
-    .select()
-    .from(directory)
-    .where(
-      and(
-        eq(directory.userId, userId),
-        parentId === "root" ? isNull(directory.parentId) : eq(directory.parentId, parentId),
-      ),
-    );
+  let query = db.selectFrom("directory").selectAll().where("user_id", "=", userId);
+  query =
+    parentId === "root"
+      ? query.where("parent_id", "is", null)
+      : query.where("parent_id", "=", parentId);
+  const directories = await query.execute();
+  return directories.map(
+    (directory) =>
+      ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      }) satisfies Directory,
+  );
 };
 
 export const getDirectory = async (userId: number, directoryId: number) => {
-  const res = await db
-    .select()
-    .from(directory)
-    .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
-    .limit(1);
-  return res[0] ?? null;
+  const directory = await db
+    .selectFrom("directory")
+    .selectAll()
+    .where("id", "=", directoryId)
+    .where("user_id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return directory
+    ? ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      } satisfies Directory)
+    : null;
 };
 
 export const setDirectoryEncName = async (
   userId: number,
   directoryId: number,
   dekVersion: Date,
-  encName: string,
-  encNameIv: string,
+  encName: Ciphertext,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      const directories = await tx
-        .select({ version: directory.dekVersion })
-        .from(directory)
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
-        .limit(1);
-      if (!directories[0]) {
-        throw new IntegrityError("Directory not found");
-      } else if (directories[0].version.getTime() !== dekVersion.getTime()) {
-        throw new IntegrityError("Invalid DEK version");
-      }
+  await db.transaction().execute(async (trx) => {
+    const directory = await trx
+      .selectFrom("directory")
+      .select("data_encryption_key_version")
+      .where("id", "=", directoryId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!directory) {
+      throw new IntegrityError("Directory not found");
+    } else if (directory.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
 
-      await tx
-        .update(directory)
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)));
-      await tx.insert(directoryLog).values({
-        directoryId,
+    await trx
+      .updateTable("directory")
+      .set({ encrypted_name: encName })
+      .where("id", "=", directoryId)
+      .where("user_id", "=", userId)
+      .execute();
+    await trx
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: encName,
+      })
+      .execute();
+  });
 };
 
 export const unregisterDirectory = async (userId: number, directoryId: number) => {
-  return await db.transaction(
-    async (tx) => {
+  return await db
+    .transaction()
+    .setIsolationLevel("repeatable read") // TODO: Sufficient?
+    .execute(async (trx) => {
       const unregisterFiles = async (parentId: number) => {
-        return await tx
-          .delete(file)
-          .where(and(eq(file.userId, userId), eq(file.parentId, parentId)))
-          .returning({ id: file.id, path: file.path });
+        return await trx
+          .deleteFrom("file")
+          .where("parent_id", "=", parentId)
+          .where("user_id", "=", userId)
+          .returning(["id", "path"])
+          .execute();
       };
       const unregisterDirectoryRecursively = async (
         directoryId: number,
       ): Promise<{ id: number; path: string }[]> => {
         const files = await unregisterFiles(directoryId);
-        const subDirectories = await tx
-          .select({ id: directory.id })
-          .from(directory)
-          .where(and(eq(directory.userId, userId), eq(directory.parentId, directoryId)));
+        const subDirectories = await trx
+          .selectFrom("directory")
+          .select("id")
+          .where("parent_id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .execute();
         const subDirectoryFilePaths = await Promise.all(
           subDirectories.map(async ({ id }) => await unregisterDirectoryRecursively(id)),
         );
 
-        const deleteRes = await tx.delete(directory).where(eq(directory.id, directoryId));
-        if (deleteRes.changes === 0) {
+        const deleteRes = await trx
+          .deleteFrom("directory")
+          .where("id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .executeTakeFirst();
+        if (deleteRes.numDeletedRows === 0n) {
           throw new IntegrityError("Directory not found");
         }
         return files.concat(...subDirectoryFilePaths);
       };
       return await unregisterDirectoryRecursively(directoryId);
-    },
-    { behavior: "exclusive" },
-  );
+    });
 };
 
-export const registerFile = async (params: NewFileParams) => {
-  if (
-    (params.hskVersion && !params.contentHmac) ||
-    (!params.hskVersion && params.contentHmac) ||
-    (params.encCreatedAt && !params.encCreatedAtIv) ||
-    (!params.encCreatedAt && params.encCreatedAtIv)
-  ) {
+export const registerFile = async (params: NewFile) => {
+  if ((params.hskVersion && !params.contentHmac) || (!params.hskVersion && params.contentHmac)) {
     throw new Error("Invalid arguments");
   }
 
-  await db.transaction(
-    async (tx) => {
-      const meks = await tx
-        .select({ version: mek.version })
-        .from(mek)
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
-        .limit(1);
-      if (meks[0]?.version !== params.mekVersion) {
-        throw new IntegrityError("Inactive MEK version");
-      }
+  return await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
 
-      if (params.hskVersion) {
-        const hsks = await tx
-          .select({ version: hsk.version })
-          .from(hsk)
-          .where(and(eq(hsk.userId, params.userId), eq(hsk.state, "active")))
-          .limit(1);
-        if (hsks[0]?.version !== params.hskVersion) {
-          throw new IntegrityError("Inactive HSK version");
-        }
+    if (params.hskVersion) {
+      const hsk = await trx
+        .selectFrom("hmac_secret_key")
+        .select("version")
+        .where("user_id", "=", params.userId)
+        .where("state", "=", "active")
+        .limit(1)
+        .forUpdate()
+        .executeTakeFirst();
+      if (hsk?.version !== params.hskVersion) {
+        throw new IntegrityError("Inactive HSK version");
       }
+    }
 
-      const newFiles = await tx
-        .insert(file)
-        .values({
-          path: params.path,
-          parentId: params.parentId === "root" ? null : params.parentId,
-          userId: params.userId,
-          mekVersion: params.mekVersion,
-          hskVersion: params.hskVersion,
-          contentHmac: params.contentHmac,
-          contentType: params.contentType,
-          encDek: params.encDek,
-          dekVersion: params.dekVersion,
-          encContentIv: params.encContentIv,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
-          encCreatedAt:
-            params.encCreatedAt && params.encCreatedAtIv
-              ? { ciphertext: params.encCreatedAt, iv: params.encCreatedAtIv }
-              : null,
-          encLastModifiedAt: {
-            ciphertext: params.encLastModifiedAt,
-            iv: params.encLastModifiedAtIv,
-          },
-        })
-        .returning({ id: file.id });
-      const { id: fileId } = newFiles[0]!;
-      await tx.insert(fileLog).values({
-        fileId,
+    const { fileId } = await trx
+      .insertInto("file")
+      .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
+        path: params.path,
+        master_encryption_key_version: params.mekVersion,
+        encrypted_data_encryption_key: params.encDek,
+        data_encryption_key_version: params.dekVersion,
+        hmac_secret_key_version: params.hskVersion,
+        content_hmac: params.contentHmac,
+        content_type: params.contentType,
+        encrypted_content_iv: params.encContentIv,
+        encrypted_content_hash: params.encContentHash,
+        encrypted_name: params.encName,
+        encrypted_created_at: params.encCreatedAt,
+        encrypted_last_modified_at: params.encLastModifiedAt,
+      })
+      .returning("id as fileId")
+      .executeTakeFirstOrThrow();
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: params.encName,
+      })
+      .execute();
+    return { id: fileId };
+  });
 };
 
 export const getAllFilesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
-    .select()
-    .from(file)
-    .where(
-      and(
-        eq(file.userId, userId),
-        parentId === "root" ? isNull(file.parentId) : eq(file.parentId, parentId),
-      ),
-    );
+  let query = db.selectFrom("file").selectAll().where("user_id", "=", userId);
+  query =
+    parentId === "root"
+      ? query.where("parent_id", "is", null)
+      : query.where("parent_id", "=", parentId);
+  const files = await query.execute();
+  return files.map(
+    (file) =>
+      ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      }) satisfies File,
+  );
+};
+
+export const getAllFilesByCategory = async (
+  userId: number,
+  categoryId: number,
+  recurse: boolean,
+) => {
+  const files = await db
+    .withRecursive("cte", (db) =>
+      db
+        .selectFrom("category")
+        .leftJoin("file_category", "category.id", "file_category.category_id")
+        .select(["id", "parent_id", "user_id", "file_category.file_id"])
+        .select(sql<number>`0`.as("depth"))
+        .where("id", "=", categoryId)
+        .$if(recurse, (qb) =>
+          qb.unionAll((db) =>
+            db
+              .selectFrom("category")
+              .leftJoin("file_category", "category.id", "file_category.category_id")
+              .innerJoin("cte", "category.parent_id", "cte.id")
+              .select([
+                "category.id",
+                "category.parent_id",
+                "category.user_id",
+                "file_category.file_id",
+              ])
+              .select(sql<number>`cte.depth + 1`.as("depth")),
+          ),
+        ),
+    )
+    .selectFrom("cte")
+    .select(["file_id", "depth"])
+    .distinctOn("file_id")
+    .where("user_id", "=", userId)
+    .where("file_id", "is not", null)
+    .$narrowType<{ file_id: NotNull }>()
+    .orderBy(["file_id", "depth"])
+    .execute();
+  return files.map(({ file_id, depth }) => ({ id: file_id, isRecursive: depth > 0 }));
 };
 
 export const getAllFileIdsByContentHmac = async (
@@ -243,69 +337,150 @@ export const getAllFileIdsByContentHmac = async (
   hskVersion: number,
   contentHmac: string,
 ) => {
-  return await db
-    .select({ id: file.id })
-    .from(file)
-    .where(
-      and(
-        eq(file.userId, userId),
-        eq(file.hskVersion, hskVersion),
-        eq(file.contentHmac, contentHmac),
-      ),
-    );
+  const files = await db
+    .selectFrom("file")
+    .select("id")
+    .where("user_id", "=", userId)
+    .where("hmac_secret_key_version", "=", hskVersion)
+    .where("content_hmac", "=", contentHmac)
+    .execute();
+  return files.map(({ id }) => ({ id }));
 };
 
 export const getFile = async (userId: number, fileId: number) => {
-  const res = await db
-    .select()
-    .from(file)
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-    .limit(1);
-  return res[0] ?? null;
+  const file = await db
+    .selectFrom("file")
+    .selectAll()
+    .where("id", "=", fileId)
+    .where("user_id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return file
+    ? ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      } satisfies File)
+    : null;
 };
 
 export const setFileEncName = async (
   userId: number,
   fileId: number,
   dekVersion: Date,
-  encName: string,
-  encNameIv: string,
+  encName: Ciphertext,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      const files = await tx
-        .select({ version: file.dekVersion })
-        .from(file)
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-        .limit(1);
-      if (!files[0]) {
-        throw new IntegrityError("File not found");
-      } else if (files[0].version.getTime() !== dekVersion.getTime()) {
-        throw new IntegrityError("Invalid DEK version");
-      }
+  await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .select("data_encryption_key_version")
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
 
-      await tx
-        .update(file)
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)));
-      await tx.insert(fileLog).values({
-        fileId,
+    await trx
+      .updateTable("file")
+      .set({ encrypted_name: encName })
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .execute();
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: encName,
+      })
+      .execute();
+  });
 };
 
 export const unregisterFile = async (userId: number, fileId: number) => {
-  const files = await db
-    .delete(file)
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-    .returning({ path: file.path });
-  if (!files[0]) {
+  const file = await db
+    .deleteFrom("file")
+    .where("id", "=", fileId)
+    .where("user_id", "=", userId)
+    .returning("path")
+    .executeTakeFirst();
+  if (!file) {
     throw new IntegrityError("File not found");
   }
-  return files[0].path;
+  return { path: file.path };
+};
+
+export const addFileToCategory = async (fileId: number, categoryId: number) => {
+  await db.transaction().execute(async (trx) => {
+    try {
+      await trx
+        .insertInto("file_category")
+        .values({ file_id: fileId, category_id: categoryId })
+        .execute();
+      await trx
+        .insertInto("file_log")
+        .values({
+          file_id: fileId,
+          timestamp: new Date(),
+          action: "add-to-category",
+          category_id: categoryId,
+        })
+        .execute();
+    } catch (e) {
+      if (e instanceof pg.DatabaseError && e.code === "23505") {
+        throw new IntegrityError("File already added to category");
+      }
+      throw e;
+    }
+  });
+};
+
+export const getAllFileCategories = async (fileId: number) => {
+  const categories = await db
+    .selectFrom("file_category")
+    .select("category_id")
+    .where("file_id", "=", fileId)
+    .execute();
+  return categories.map(({ category_id }) => ({ id: category_id }));
+};
+
+export const removeFileFromCategory = async (fileId: number, categoryId: number) => {
+  await db.transaction().execute(async (trx) => {
+    const res = await trx
+      .deleteFrom("file_category")
+      .where("file_id", "=", fileId)
+      .where("category_id", "=", categoryId)
+      .executeTakeFirst();
+    if (res.numDeletedRows === 0n) {
+      throw new IntegrityError("File not found in category");
+    }
+
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
+        timestamp: new Date(),
+        action: "remove-from-category",
+        category_id: categoryId,
+      })
+      .execute();
+  });
 };

src/lib/server/db/hsk.ts

@@ -1,8 +1,15 @@
-import { SqliteError } from "better-sqlite3";
-import { and, eq } from "drizzle-orm";
-import db from "./drizzle";
+import pg from "pg";
 import { IntegrityError } from "./error";
-import { hsk, hskLog } from "./schema";
+import db from "./kysely";
+import type { HskState } from "./schema";
+
+interface Hsk {
+  userId: number;
+  version: number;
+  state: HskState;
+  mekVersion: number;
+  encHsk: string;
+}
 
 export const registerInitialHsk = async (
   userId: number,
@@ -10,37 +17,52 @@ export const registerInitialHsk = async (
   mekVersion: number,
   encHsk: string,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      try {
-        await tx.insert(hsk).values({
-          userId,
+  await db.transaction().execute(async (trx) => {
+    try {
+      await trx
+        .insertInto("hmac_secret_key")
+        .values({
+          user_id: userId,
           version: 1,
           state: "active",
-          mekVersion,
-          encHsk,
-        });
-        await tx.insert(hskLog).values({
-          userId,
-          hskVersion: 1,
+          master_encryption_key_version: mekVersion,
+          encrypted_key: encHsk,
+        })
+        .execute();
+      await trx
+        .insertInto("hmac_secret_key_log")
+        .values({
+          user_id: userId,
+          hmac_secret_key_version: 1,
           timestamp: new Date(),
           action: "create",
-          actionBy: createdBy,
-        });
-      } catch (e) {
-        if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
-          throw new IntegrityError("HSK already registered");
-        }
-        throw e;
+          action_by: createdBy,
+        })
+        .execute();
+    } catch (e) {
+      if (e instanceof pg.DatabaseError && e.code === "23505") {
+        throw new IntegrityError("HSK already registered");
       }
-    },
-    { behavior: "exclusive" },
-  );
+      throw e;
+    }
+  });
 };
 
 export const getAllValidHsks = async (userId: number) => {
-  return await db
-    .select()
-    .from(hsk)
-    .where(and(eq(hsk.userId, userId), eq(hsk.state, "active")));
+  const hsks = await db
+    .selectFrom("hmac_secret_key")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .where("state", "=", "active")
+    .execute();
+  return hsks.map(
+    ({ user_id, version, state, master_encryption_key_version, encrypted_key }) =>
+      ({
+        userId: user_id,
+        version,
+        state: state as "active",
+        mekVersion: master_encryption_key_version,
+        encHsk: encrypted_key,
+      }) satisfies Hsk,
+  );
 };

src/lib/server/db/kysely.ts

@@ -0,0 +1,47 @@
+import { Kysely, PostgresDialect, Migrator } from "kysely";
+import pg from "pg";
+import env from "$lib/server/loadenv";
+import migrations from "./migrations";
+import type { Database } from "./schema";
+
+const dialect = new PostgresDialect({
+  pool: new pg.Pool({
+    host: env.database.host,
+    port: env.database.port,
+    user: env.database.user,
+    password: env.database.password,
+    database: env.database.name,
+  }),
+});
+
+const db = new Kysely<Database>({ dialect });
+
+export const migrateDB = async () => {
+  if (env.nodeEnv !== "production") return;
+
+  const migrator = new Migrator({
+    db,
+    provider: {
+      async getMigrations() {
+        return migrations;
+      },
+    },
+  });
+  const { error, results } = await migrator.migrateToLatest();
+  if (error) {
+    const migration = results?.find(({ status }) => status === "Error");
+    if (migration) {
+      console.error(`Migration "${migration.migrationName}" failed.`);
+    }
+    console.error(error);
+    process.exit(1);
+  }
+
+  if (results?.length === 0) {
+    console.log("Database is up-to-date.");
+  } else {
+    console.log("Database migration completed.");
+  }
+};
+
+export default db;

src/lib/server/db/mek.ts

@@ -1,8 +1,19 @@
-import { SqliteError } from "better-sqlite3";
-import { and, or, eq } from "drizzle-orm";
-import db from "./drizzle";
+import pg from "pg";
 import { IntegrityError } from "./error";
-import { mek, mekLog, clientMek } from "./schema";
+import db from "./kysely";
+import type { MekState } from "./schema";
+
+interface Mek {
+  userId: number;
+  version: number;
+  state: MekState;
+}
+
+interface ClientMekWithDetails extends Mek {
+  clientId: number;
+  encMek: string;
+  encMekSig: string;
+}
 
 export const registerInitialMek = async (
   userId: number,
@@ -10,58 +21,80 @@ export const registerInitialMek = async (
   encMek: string,
   encMekSig: string,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      try {
-        await tx.insert(mek).values({
-          userId,
+  await db.transaction().execute(async (trx) => {
+    try {
+      await trx
+        .insertInto("master_encryption_key")
+        .values({
+          user_id: userId,
           version: 1,
           state: "active",
-        });
-        await tx.insert(clientMek).values({
-          userId,
-          clientId: createdBy,
-          mekVersion: 1,
-          encMek,
-          encMekSig,
-        });
-        await tx.insert(mekLog).values({
-          userId,
-          mekVersion: 1,
+        })
+        .execute();
+      await trx
+        .insertInto("client_master_encryption_key")
+        .values({
+          user_id: userId,
+          client_id: createdBy,
+          version: 1,
+          encrypted_key: encMek,
+          encrypted_key_signature: encMekSig,
+        })
+        .execute();
+      await trx
+        .insertInto("master_encryption_key_log")
+        .values({
+          user_id: userId,
+          master_encryption_key_version: 1,
           timestamp: new Date(),
           action: "create",
-          actionBy: createdBy,
-        });
-      } catch (e) {
-        if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
-          throw new IntegrityError("MEK already registered");
-        }
-        throw e;
+          action_by: createdBy,
+        })
+        .execute();
+    } catch (e) {
+      if (e instanceof pg.DatabaseError && e.code === "23505") {
+        throw new IntegrityError("MEK already registered");
       }
-    },
-    { behavior: "exclusive" },
-  );
+      throw e;
+    }
+  });
 };
 
 export const getInitialMek = async (userId: number) => {
-  const meks = await db
-    .select()
-    .from(mek)
-    .where(and(eq(mek.userId, userId), eq(mek.version, 1)))
-    .limit(1);
-  return meks[0] ?? null;
+  const mek = await db
+    .selectFrom("master_encryption_key")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .where("version", "=", 1)
+    .limit(1)
+    .executeTakeFirst();
+  return mek
+    ? ({ userId: mek.user_id, version: mek.version, state: mek.state } satisfies Mek)
+    : null;
 };
 
 export const getAllValidClientMeks = async (userId: number, clientId: number) => {
-  return await db
-    .select()
-    .from(clientMek)
-    .innerJoin(mek, and(eq(clientMek.userId, mek.userId), eq(clientMek.mekVersion, mek.version)))
-    .where(
-      and(
-        eq(clientMek.userId, userId),
-        eq(clientMek.clientId, clientId),
-        or(eq(mek.state, "active"), eq(mek.state, "retired")),
-      ),
-    );
+  const clientMeks = await db
+    .selectFrom("client_master_encryption_key")
+    .innerJoin("master_encryption_key", (join) =>
+      join
+        .onRef("client_master_encryption_key.user_id", "=", "master_encryption_key.user_id")
+        .onRef("client_master_encryption_key.version", "=", "master_encryption_key.version"),
+    )
+    .selectAll()
+    .where("client_master_encryption_key.user_id", "=", userId)
+    .where("client_master_encryption_key.client_id", "=", clientId)
+    .where((eb) => eb.or([eb("state", "=", "active"), eb("state", "=", "retired")]))
+    .execute();
+  return clientMeks.map(
+    ({ user_id, client_id, version, state, encrypted_key, encrypted_key_signature }) =>
+      ({
+        userId: user_id,
+        version,
+        state: state as "active" | "retired",
+        clientId: client_id,
+        encMek: encrypted_key,
+        encMekSig: encrypted_key_signature,
+      }) satisfies ClientMekWithDetails,
+  );
 };

src/lib/server/db/migrations/1737357000-Initial.ts

@@ -0,0 +1,224 @@
+import { Kysely } from "kysely";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const up = async (db: Kysely<any>) => {
+  // user.ts
+  await db.schema
+    .createTable("user")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("email", "text", (col) => col.unique().notNull())
+    .addColumn("nickname", "text", (col) => col.notNull())
+    .addColumn("password", "text", (col) => col.notNull())
+    .execute();
+
+  // client.ts
+  await db.schema
+    .createTable("client")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("encryption_public_key", "text", (col) => col.unique().notNull())
+    .addColumn("signature_public_key", "text", (col) => col.unique().notNull())
+    .addUniqueConstraint("client_ak01", ["encryption_public_key", "signature_public_key"])
+    .execute();
+  await db.schema
+    .createTable("user_client")
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("client_id", "integer", (col) => col.references("client.id").notNull())
+    .addColumn("state", "text", (col) => col.notNull().defaultTo("challenging"))
+    .addPrimaryKeyConstraint("user_client_pk", ["user_id", "client_id"])
+    .execute();
+  await db.schema
+    .createTable("user_client_challenge")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("client_id", "integer", (col) => col.references("client.id").notNull())
+    .addColumn("answer", "text", (col) => col.unique().notNull())
+    .addColumn("allowed_ip", "text", (col) => col.notNull())
+    .addColumn("expires_at", "timestamp(3)", (col) => col.notNull())
+    .addForeignKeyConstraint(
+      "user_client_challenge_fk01",
+      ["user_id", "client_id"],
+      "user_client",
+      ["user_id", "client_id"],
+    )
+    .execute();
+
+  // session.ts
+  await db.schema
+    .createTable("session")
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("client_id", "integer", (col) => col.references("client.id"))
+    .addColumn("created_at", "timestamp(3)", (col) => col.notNull())
+    .addColumn("last_used_at", "timestamp(3)", (col) => col.notNull())
+    .addColumn("last_used_by_ip", "text")
+    .addColumn("last_used_by_agent", "text")
+    .addUniqueConstraint("session_ak01", ["user_id", "client_id"])
+    .execute();
+  await db.schema
+    .createTable("session_upgrade_challenge")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("session_id", "text", (col) => col.references("session.id").unique().notNull())
+    .addColumn("client_id", "integer", (col) => col.references("client.id").notNull())
+    .addColumn("answer", "text", (col) => col.unique().notNull())
+    .addColumn("allowed_ip", "text", (col) => col.notNull())
+    .addColumn("expires_at", "timestamp(3)", (col) => col.notNull())
+    .execute();
+
+  // mek.ts
+  await db.schema
+    .createTable("master_encryption_key")
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("version", "integer", (col) => col.notNull())
+    .addColumn("state", "text", (col) => col.notNull())
+    .addPrimaryKeyConstraint("master_encryption_key_pk", ["user_id", "version"])
+    .execute();
+  await db.schema
+    .createTable("master_encryption_key_log")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
+    .addColumn("timestamp", "timestamp(3)", (col) => col.notNull())
+    .addColumn("action", "text", (col) => col.notNull())
+    .addColumn("action_by", "integer", (col) => col.references("client.id"))
+    .addForeignKeyConstraint(
+      "master_encryption_key_log_fk01",
+      ["user_id", "master_encryption_key_version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .execute();
+  await db.schema
+    .createTable("client_master_encryption_key")
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("client_id", "integer", (col) => col.references("client.id").notNull())
+    .addColumn("version", "integer", (col) => col.notNull())
+    .addColumn("encrypted_key", "text", (col) => col.notNull())
+    .addColumn("encrypted_key_signature", "text", (col) => col.notNull())
+    .addPrimaryKeyConstraint("client_master_encryption_key_pk", ["user_id", "client_id", "version"])
+    .addForeignKeyConstraint(
+      "client_master_encryption_key_fk01",
+      ["user_id", "version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .execute();
+
+  // hsk.ts
+  await db.schema
+    .createTable("hmac_secret_key")
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("version", "integer", (col) => col.notNull())
+    .addColumn("state", "text", (col) => col.notNull())
+    .addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
+    .addColumn("encrypted_key", "text", (col) => col.unique().notNull())
+    .addPrimaryKeyConstraint("hmac_secret_key_pk", ["user_id", "version"])
+    .addForeignKeyConstraint(
+      "hmac_secret_key_fk01",
+      ["user_id", "master_encryption_key_version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .execute();
+  await db.schema
+    .createTable("hmac_secret_key_log")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("hmac_secret_key_version", "integer", (col) => col.notNull())
+    .addColumn("timestamp", "timestamp(3)", (col) => col.notNull())
+    .addColumn("action", "text", (col) => col.notNull())
+    .addColumn("action_by", "integer", (col) => col.references("client.id"))
+    .addForeignKeyConstraint(
+      "hmac_secret_key_log_fk01",
+      ["user_id", "hmac_secret_key_version"],
+      "hmac_secret_key",
+      ["user_id", "version"],
+    )
+    .execute();
+
+  // file.ts
+  await db.schema
+    .createTable("directory")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("parent_id", "integer", (col) => col.references("directory.id"))
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
+    .addColumn("encrypted_data_encryption_key", "text", (col) => col.unique().notNull())
+    .addColumn("data_encryption_key_version", "timestamp(3)", (col) => col.notNull())
+    .addColumn("encrypted_name", "json", (col) => col.notNull())
+    .addForeignKeyConstraint(
+      "directory_fk01",
+      ["user_id", "master_encryption_key_version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .execute();
+  await db.schema
+    .createTable("directory_log")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("directory_id", "integer", (col) =>
+      col.references("directory.id").onDelete("cascade").notNull(),
+    )
+    .addColumn("timestamp", "timestamp(3)", (col) => col.notNull())
+    .addColumn("action", "text", (col) => col.notNull())
+    .addColumn("new_name", "json")
+    .execute();
+  await db.schema
+    .createTable("file")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("parent_id", "integer", (col) => col.references("directory.id"))
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("path", "text", (col) => col.unique().notNull())
+    .addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
+    .addColumn("encrypted_data_encryption_key", "text", (col) => col.unique().notNull())
+    .addColumn("data_encryption_key_version", "timestamp(3)", (col) => col.notNull())
+    .addColumn("hmac_secret_key_version", "integer")
+    .addColumn("content_hmac", "text")
+    .addColumn("content_type", "text", (col) => col.notNull())
+    .addColumn("encrypted_content_iv", "text", (col) => col.notNull())
+    .addColumn("encrypted_content_hash", "text", (col) => col.notNull())
+    .addColumn("encrypted_name", "json", (col) => col.notNull())
+    .addColumn("encrypted_created_at", "json")
+    .addColumn("encrypted_last_modified_at", "json", (col) => col.notNull())
+    .addForeignKeyConstraint(
+      "file_fk01",
+      ["user_id", "master_encryption_key_version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .addForeignKeyConstraint(
+      "file_fk02",
+      ["user_id", "hmac_secret_key_version"],
+      "hmac_secret_key",
+      ["user_id", "version"],
+    )
+    .execute();
+  await db.schema
+    .createTable("file_log")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("file_id", "integer", (col) =>
+      col.references("file.id").onDelete("cascade").notNull(),
+    )
+    .addColumn("timestamp", "timestamp(3)", (col) => col.notNull())
+    .addColumn("action", "text", (col) => col.notNull())
+    .addColumn("new_name", "json")
+    .execute();
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const down = async (db: Kysely<any>) => {
+  await db.schema.dropTable("file_log").execute();
+  await db.schema.dropTable("file").execute();
+  await db.schema.dropTable("directory_log").execute();
+  await db.schema.dropTable("directory").execute();
+  await db.schema.dropTable("hmac_secret_key_log").execute();
+  await db.schema.dropTable("hmac_secret_key").execute();
+  await db.schema.dropTable("client_master_encryption_key").execute();
+  await db.schema.dropTable("master_encryption_key_log").execute();
+  await db.schema.dropTable("master_encryption_key").execute();
+  await db.schema.dropTable("session_upgrade_challenge").execute();
+  await db.schema.dropTable("session").execute();
+  await db.schema.dropTable("user_client_challenge").execute();
+  await db.schema.dropTable("user_client").execute();
+  await db.schema.dropTable("client").execute();
+  await db.schema.dropTable("user").execute();
+};

src/lib/server/db/migrations/1737422340-AddFileCategory.ts

@@ -0,0 +1,65 @@
+import { Kysely } from "kysely";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const up = async (db: Kysely<any>) => {
+  // category.ts
+  await db.schema
+    .createTable("category")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("parent_id", "integer", (col) => col.references("category.id").onDelete("cascade"))
+    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
+    .addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
+    .addColumn("encrypted_data_encryption_key", "text", (col) => col.unique().notNull())
+    .addColumn("data_encryption_key_version", "timestamp(3)", (col) => col.notNull())
+    .addColumn("encrypted_name", "json", (col) => col.notNull())
+    .addForeignKeyConstraint(
+      "category_fk01",
+      ["user_id", "master_encryption_key_version"],
+      "master_encryption_key",
+      ["user_id", "version"],
+    )
+    .execute();
+  await db.schema
+    .createTable("category_log")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("category_id", "integer", (col) =>
+      col.references("category.id").onDelete("cascade").notNull(),
+    )
+    .addColumn("timestamp", "timestamp(3)", (col) => col.notNull())
+    .addColumn("action", "text", (col) => col.notNull())
+    .addColumn("new_name", "json")
+    .execute();
+
+  // file.ts
+  await db.schema
+    .alterTable("file_log")
+    .addColumn("category_id", "integer", (col) =>
+      col.references("category.id").onDelete("set null"),
+    )
+    .execute();
+  await db.schema
+    .createTable("file_category")
+    .addColumn("file_id", "integer", (col) =>
+      col.references("file.id").onDelete("cascade").notNull(),
+    )
+    .addColumn("category_id", "integer", (col) =>
+      col.references("category.id").onDelete("cascade").notNull(),
+    )
+    .addPrimaryKeyConstraint("file_category_pk", ["file_id", "category_id"])
+    .execute();
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const down = async (db: Kysely<any>) => {
+  await db
+    .deleteFrom("file_log")
+    .where((eb) =>
+      eb.or([eb("action", "=", "add-to-category"), eb("action", "=", "remove-from-category")]),
+    )
+    .execute();
+
+  await db.schema.dropTable("file_category").execute();
+  await db.schema.alterTable("file_log").dropColumn("category_id").execute();
+  await db.schema.dropTable("category_log").execute();
+  await db.schema.dropTable("category").execute();
+};

src/lib/server/db/migrations/index.ts

@@ -0,0 +1,7 @@
+import * as Initial1737357000 from "./1737357000-Initial";
+import * as AddFileCategory1737422340 from "./1737422340-AddFileCategory";
+
+export default {
+  "1737357000-Initial": Initial1737357000,
+  "1737422340-AddFileCategory": AddFileCategory1737422340,
+};

src/lib/server/db/schema/category.ts

@@ -0,0 +1,27 @@
+import type { Generated } from "kysely";
+import type { Ciphertext } from "./util";
+
+interface CategoryTable {
+  id: Generated<number>;
+  parent_id: number | null;
+  user_id: number;
+  master_encryption_key_version: number;
+  encrypted_data_encryption_key: string; // Base64
+  data_encryption_key_version: Date;
+  encrypted_name: Ciphertext;
+}
+
+interface CategoryLogTable {
+  id: Generated<number>;
+  category_id: number;
+  timestamp: Date;
+  action: "create" | "rename";
+  new_name: Ciphertext | null;
+}
+
+declare module "./index" {
+  interface Database {
+    category: CategoryTable;
+    category_log: CategoryLogTable;
+  }
+}

src/lib/server/db/schema/client.ts

@@ -1,61 +1,32 @@
-import {
-  sqliteTable,
-  text,
-  integer,
-  primaryKey,
-  foreignKey,
-  unique,
-} from "drizzle-orm/sqlite-core";
-import { user } from "./user";
+import type { ColumnType, Generated } from "kysely";
 
-export const client = sqliteTable(
-  "client",
-  {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    encPubKey: text("encryption_public_key").notNull().unique(), // Base64
-    sigPubKey: text("signature_public_key").notNull().unique(), // Base64
-  },
-  (t) => ({
-    unq: unique().on(t.encPubKey, t.sigPubKey),
-  }),
-);
+interface ClientTable {
+  id: Generated<number>;
+  encryption_public_key: string; // Base64
+  signature_public_key: string; // Base64
+}
 
-export const userClient = sqliteTable(
-  "user_client",
-  {
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    clientId: integer("client_id")
-      .notNull()
-      .references(() => client.id),
-    state: text("state", { enum: ["challenging", "pending", "active"] })
-      .notNull()
-      .default("challenging"),
-  },
-  (t) => ({
-    pk: primaryKey({ columns: [t.userId, t.clientId] }),
-  }),
-);
+export type UserClientState = "challenging" | "pending" | "active";
 
-export const userClientChallenge = sqliteTable(
-  "user_client_challenge",
-  {
-    id: integer("id").primaryKey(),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    clientId: integer("client_id")
-      .notNull()
-      .references(() => client.id),
-    answer: text("answer").notNull().unique(), // Base64
-    allowedIp: text("allowed_ip").notNull(),
-    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
-  },
-  (t) => ({
-    ref: foreignKey({
-      columns: [t.userId, t.clientId],
-      foreignColumns: [userClient.userId, userClient.clientId],
-    }),
-  }),
-);
+interface UserClientTable {
+  user_id: number;
+  client_id: number;
+  state: ColumnType<UserClientState, UserClientState | undefined>;
+}
+
+interface UserClientChallengeTable {
+  id: Generated<number>;
+  user_id: number;
+  client_id: number;
+  answer: string; // Base64
+  allowed_ip: string;
+  expires_at: ColumnType<Date, Date, never>;
+}
+
+declare module "./index" {
+  interface Database {
+    client: ClientTable;
+    user_client: UserClientTable;
+    user_client_challenge: UserClientChallengeTable;
+  }
+}

src/lib/server/db/schema/file.ts

@@ -1,87 +1,62 @@
-import { sqliteTable, text, integer, foreignKey } from "drizzle-orm/sqlite-core";
-import { hsk } from "./hsk";
-import { mek } from "./mek";
-import { user } from "./user";
+import type { ColumnType, Generated } from "kysely";
+import type { Ciphertext } from "./util";
 
-const ciphertext = (name: string) =>
-  text(name, { mode: "json" }).$type<{
-    ciphertext: string; // Base64
-    iv: string; // Base64
-  }>();
+interface DirectoryTable {
+  id: Generated<number>;
+  parent_id: number | null;
+  user_id: number;
+  master_encryption_key_version: number;
+  encrypted_data_encryption_key: string; // Base64
+  data_encryption_key_version: Date;
+  encrypted_name: Ciphertext;
+}
 
-export const directory = sqliteTable(
-  "directory",
-  {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    parentId: integer("parent_id"),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
-    dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(),
-    encName: ciphertext("encrypted_name").notNull(),
-  },
-  (t) => ({
-    ref1: foreignKey({
-      columns: [t.parentId],
-      foreignColumns: [t.id],
-    }),
-    ref2: foreignKey({
-      columns: [t.userId, t.mekVersion],
-      foreignColumns: [mek.userId, mek.version],
-    }),
-  }),
-);
+interface DirectoryLogTable {
+  id: Generated<number>;
+  directory_id: number;
+  timestamp: ColumnType<Date, Date, never>;
+  action: "create" | "rename";
+  new_name: Ciphertext | null;
+}
 
-export const directoryLog = sqliteTable("directory_log", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  directoryId: integer("directory_id")
-    .notNull()
-    .references(() => directory.id, { onDelete: "cascade" }),
-  timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull(),
-  action: text("action", { enum: ["create", "rename"] }).notNull(),
-  newName: ciphertext("new_name"),
-});
+interface FileTable {
+  id: Generated<number>;
+  parent_id: number | null;
+  user_id: number;
+  path: string;
+  master_encryption_key_version: number;
+  encrypted_data_encryption_key: string; // Base64
+  data_encryption_key_version: Date;
+  hmac_secret_key_version: number | null;
+  content_hmac: string | null; // Base64
+  content_type: string;
+  encrypted_content_iv: string; // Base64
+  encrypted_content_hash: string; // Base64
+  encrypted_name: Ciphertext;
+  encrypted_created_at: Ciphertext | null;
+  encrypted_last_modified_at: Ciphertext;
+}
 
-export const file = sqliteTable(
-  "file",
-  {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    parentId: integer("parent_id").references(() => directory.id),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    path: text("path").notNull().unique(),
-    mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
-    dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(),
-    hskVersion: integer("hmac_secret_key_version"),
-    contentHmac: text("content_hmac"), // Base64
-    contentType: text("content_type").notNull(),
-    encContentIv: text("encrypted_content_iv").notNull(), // Base64
-    encName: ciphertext("encrypted_name").notNull(),
-    encCreatedAt: ciphertext("encrypted_created_at"),
-    encLastModifiedAt: ciphertext("encrypted_last_modified_at").notNull(),
-  },
-  (t) => ({
-    ref1: foreignKey({
-      columns: [t.userId, t.mekVersion],
-      foreignColumns: [mek.userId, mek.version],
-    }),
-    ref2: foreignKey({
-      columns: [t.userId, t.hskVersion],
-      foreignColumns: [hsk.userId, hsk.version],
-    }),
-  }),
-);
+interface FileLogTable {
+  id: Generated<number>;
+  file_id: number;
+  timestamp: ColumnType<Date, Date, never>;
+  action: "create" | "rename" | "add-to-category" | "remove-from-category";
+  new_name: Ciphertext | null;
+  category_id: number | null;
+}
 
-export const fileLog = sqliteTable("file_log", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  fileId: integer("file_id")
-    .notNull()
-    .references(() => file.id, { onDelete: "cascade" }),
-  timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull(),
-  action: text("action", { enum: ["create", "rename"] }).notNull(),
-  newName: ciphertext("new_name"),
-});
+interface FileCategoryTable {
+  file_id: number;
+  category_id: number;
+}
+
+declare module "./index" {
+  interface Database {
+    directory: DirectoryTable;
+    directory_log: DirectoryLogTable;
+    file: FileTable;
+    file_log: FileLogTable;
+    file_category: FileCategoryTable;
+  }
+}

src/lib/server/db/schema/hsk.ts

@@ -1,43 +1,27 @@
-import { sqliteTable, text, integer, primaryKey, foreignKey } from "drizzle-orm/sqlite-core";
-import { mek } from "./mek";
-import { user } from "./user";
+import type { ColumnType, Generated } from "kysely";
 
-export const hsk = sqliteTable(
-  "hmac_secret_key",
-  {
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    version: integer("version").notNull(),
-    state: text("state", { enum: ["active"] }).notNull(),
-    mekVersion: integer("master_encryption_key_version").notNull(),
-    encHsk: text("encrypted_key").notNull().unique(), // Base64
-  },
-  (t) => ({
-    pk: primaryKey({ columns: [t.userId, t.version] }),
-    ref: foreignKey({
-      columns: [t.userId, t.mekVersion],
-      foreignColumns: [mek.userId, mek.version],
-    }),
-  }),
-);
+export type HskState = "active";
 
-export const hskLog = sqliteTable(
-  "hmac_secret_key_log",
-  {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    hskVersion: integer("hmac_secret_key_version").notNull(),
-    timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull(),
-    action: text("action", { enum: ["create"] }).notNull(),
-    actionBy: integer("action_by").references(() => user.id),
-  },
-  (t) => ({
-    ref: foreignKey({
-      columns: [t.userId, t.hskVersion],
-      foreignColumns: [hsk.userId, hsk.version],
-    }),
-  }),
-);
+interface HskTable {
+  user_id: number;
+  version: number;
+  state: HskState;
+  master_encryption_key_version: number;
+  encrypted_key: string; // Base64
+}
+
+interface HskLogTable {
+  id: Generated<number>;
+  user_id: number;
+  hmac_secret_key_version: number;
+  timestamp: ColumnType<Date, Date, never>;
+  action: "create";
+  action_by: number | null;
+}
+
+declare module "./index" {
+  interface Database {
+    hmac_secret_key: HskTable;
+    hmac_secret_key_log: HskLogTable;
+  }
+}

src/lib/server/db/schema/index.ts

@@ -1,6 +1,11 @@
+export * from "./category";
 export * from "./client";
 export * from "./file";
 export * from "./hsk";
 export * from "./mek";
 export * from "./session";
 export * from "./user";
+export * from "./util";
+
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type
+export interface Database {}

src/lib/server/db/schema/mek.ts

@@ -1,60 +1,34 @@
-import { sqliteTable, text, integer, primaryKey, foreignKey } from "drizzle-orm/sqlite-core";
-import { client } from "./client";
-import { user } from "./user";
+import type { ColumnType, Generated } from "kysely";
 
-export const mek = sqliteTable(
-  "master_encryption_key",
-  {
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    version: integer("version").notNull(),
-    state: text("state", { enum: ["active", "retired", "dead"] }).notNull(),
-    retiredAt: integer("retired_at", { mode: "timestamp_ms" }),
-  },
-  (t) => ({
-    pk: primaryKey({ columns: [t.userId, t.version] }),
-  }),
-);
+export type MekState = "active" | "retired" | "dead";
 
-export const mekLog = sqliteTable(
-  "master_encryption_key_log",
-  {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    mekVersion: integer("master_encryption_key_version").notNull(),
-    timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull(),
-    action: text("action", { enum: ["create"] }).notNull(),
-    actionBy: integer("action_by").references(() => client.id),
-  },
-  (t) => ({
-    ref: foreignKey({
-      columns: [t.userId, t.mekVersion],
-      foreignColumns: [mek.userId, mek.version],
-    }),
-  }),
-);
+interface MekTable {
+  user_id: number;
+  version: number;
+  state: MekState;
+}
 
-export const clientMek = sqliteTable(
-  "client_master_encryption_key",
-  {
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    clientId: integer("client_id")
-      .notNull()
-      .references(() => client.id),
-    mekVersion: integer("version").notNull(),
-    encMek: text("encrypted_key").notNull(), // Base64
-    encMekSig: text("encrypted_key_signature").notNull(), // Base64
-  },
-  (t) => ({
-    pk: primaryKey({ columns: [t.userId, t.clientId, t.mekVersion] }),
-    ref: foreignKey({
-      columns: [t.userId, t.mekVersion],
-      foreignColumns: [mek.userId, mek.version],
-    }),
-  }),
-);
+interface MekLogTable {
+  id: Generated<number>;
+  user_id: number;
+  master_encryption_key_version: number;
+  timestamp: ColumnType<Date, Date, never>;
+  action: "create";
+  action_by: number | null;
+}
+
+interface ClientMekTable {
+  user_id: number;
+  client_id: number;
+  version: number;
+  encrypted_key: string; // Base64
+  encrypted_key_signature: string; // Base64
+}
+
+declare module "./index" {
+  interface Database {
+    master_encryption_key: MekTable;
+    master_encryption_key_log: MekLogTable;
+    client_master_encryption_key: ClientMekTable;
+  }
+}

src/lib/server/db/schema/session.ts

@@ -1,35 +1,27 @@
-import { sqliteTable, text, integer, unique } from "drizzle-orm/sqlite-core";
-import { client } from "./client";
-import { user } from "./user";
+import type { ColumnType, Generated } from "kysely";
 
-export const session = sqliteTable(
-  "session",
-  {
-    id: text("id").notNull().primaryKey(),
-    userId: integer("user_id")
-      .notNull()
-      .references(() => user.id),
-    clientId: integer("client_id").references(() => client.id),
-    createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
-    lastUsedAt: integer("last_used_at", { mode: "timestamp_ms" }).notNull(),
-    lastUsedByIp: text("last_used_by_ip"),
-    lastUsedByUserAgent: text("last_used_by_user_agent"),
-  },
-  (t) => ({
-    unq: unique().on(t.userId, t.clientId),
-  }),
-);
+interface SessionTable {
+  id: string;
+  user_id: number;
+  client_id: number | null;
+  created_at: ColumnType<Date, Date, never>;
+  last_used_at: Date;
+  last_used_by_ip: string | null;
+  last_used_by_agent: string | null;
+}
 
-export const sessionUpgradeChallenge = sqliteTable("session_upgrade_challenge", {
-  id: integer("id").primaryKey(),
-  sessionId: text("session_id")
-    .notNull()
-    .references(() => session.id)
-    .unique(),
-  clientId: integer("client_id")
-    .notNull()
-    .references(() => client.id),
-  answer: text("answer").notNull().unique(), // Base64
-  allowedIp: text("allowed_ip").notNull(),
-  expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
-});
+interface SessionUpgradeChallengeTable {
+  id: Generated<number>;
+  session_id: string;
+  client_id: number;
+  answer: string; // Base64
+  allowed_ip: string;
+  expires_at: ColumnType<Date, Date, never>;
+}
+
+declare module "./index" {
+  interface Database {
+    session: SessionTable;
+    session_upgrade_challenge: SessionUpgradeChallengeTable;
+  }
+}

src/lib/server/db/schema/user.ts

@@ -1,8 +1,14 @@
-import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
+import type { Generated } from "kysely";
 
-export const user = sqliteTable("user", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  email: text("email").notNull().unique(),
-  password: text("password").notNull(),
-  nickname: text("nickname").notNull(),
-});
+interface UserTable {
+  id: Generated<number>;
+  email: string;
+  nickname: string;
+  password: string;
+}
+
+declare module "./index" {
+  interface Database {
+    user: UserTable;
+  }
+}

src/lib/server/db/schema/util.ts

@@ -0,0 +1,4 @@
+export interface Ciphertext {
+  ciphertext: string; // Base64
+  iv: string; // Base64
+}

src/lib/server/db/session.ts

@@ -1,30 +1,31 @@
-import { SqliteError } from "better-sqlite3";
-import { and, eq, ne, gt, lte, isNull } from "drizzle-orm";
+import pg from "pg";
 import env from "$lib/server/loadenv";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { session, sessionUpgradeChallenge } from "./schema";
+import db from "./kysely";
 
 export const createSession = async (
   userId: number,
   clientId: number | null,
   sessionId: string,
   ip: string | null,
-  userAgent: string | null,
+  agent: string | null,
 ) => {
   try {
     const now = new Date();
-    await db.insert(session).values({
-      id: sessionId,
-      userId,
-      clientId,
-      createdAt: now,
-      lastUsedAt: now,
-      lastUsedByIp: ip || null,
-      lastUsedByUserAgent: userAgent || null,
-    });
+    await db
+      .insertInto("session")
+      .values({
+        id: sessionId,
+        user_id: userId,
+        client_id: clientId,
+        created_at: now,
+        last_used_at: now,
+        last_used_by_ip: ip || null,
+        last_used_by_agent: agent || null,
+      })
+      .execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
+    if (e instanceof pg.DatabaseError && e.code === "23505") {
       throw new IntegrityError("Session already exists");
     }
     throw e;
@@ -34,49 +35,55 @@ export const createSession = async (
 export const refreshSession = async (
   sessionId: string,
   ip: string | null,
-  userAgent: string | null,
+  agent: string | null,
 ) => {
   const now = new Date();
-  const sessions = await db
-    .update(session)
+  const session = await db
+    .updateTable("session")
     .set({
-      lastUsedAt: now,
-      lastUsedByIp: ip || undefined,
-      lastUsedByUserAgent: userAgent || undefined,
+      last_used_at: now,
+      last_used_by_ip: ip !== "" ? ip : undefined, // Don't update if empty
+      last_used_by_agent: agent !== "" ? agent : undefined, // Don't update if empty
     })
-    .where(
-      and(
-        eq(session.id, sessionId),
-        gt(session.lastUsedAt, new Date(now.getTime() - env.session.exp)),
-      ),
-    )
-    .returning({ userId: session.userId, clientId: session.clientId });
-  if (!sessions[0]) {
+    .where("id", "=", sessionId)
+    .where("last_used_at", ">", new Date(now.getTime() - env.session.exp))
+    .returning(["user_id", "client_id"])
+    .executeTakeFirst();
+  if (!session) {
     throw new IntegrityError("Session not found");
   }
-  return sessions[0];
+  return { userId: session.user_id, clientId: session.client_id };
 };
 
 export const upgradeSession = async (sessionId: string, clientId: number) => {
   const res = await db
-    .update(session)
-    .set({ clientId })
-    .where(and(eq(session.id, sessionId), isNull(session.clientId)));
-  if (res.changes === 0) {
+    .updateTable("session")
+    .set({ client_id: clientId })
+    .where("id", "=", sessionId)
+    .where("client_id", "is", null)
+    .executeTakeFirst();
+  if (res.numUpdatedRows === 0n) {
     throw new IntegrityError("Session not found");
   }
 };
 
 export const deleteSession = async (sessionId: string) => {
-  await db.delete(session).where(eq(session.id, sessionId));
+  await db.deleteFrom("session").where("id", "=", sessionId).execute();
 };
 
 export const deleteAllOtherSessions = async (userId: number, sessionId: string) => {
-  await db.delete(session).where(and(eq(session.userId, userId), ne(session.id, sessionId)));
+  await db
+    .deleteFrom("session")
+    .where("id", "!=", sessionId)
+    .where("user_id", "=", userId)
+    .execute();
 };
 
 export const cleanupExpiredSessions = async () => {
-  await db.delete(session).where(lte(session.lastUsedAt, new Date(Date.now() - env.session.exp)));
+  await db
+    .deleteFrom("session")
+    .where("last_used_at", "<=", new Date(Date.now() - env.session.exp))
+    .execute();
 };
 
 export const registerSessionUpgradeChallenge = async (
@@ -87,15 +94,18 @@ export const registerSessionUpgradeChallenge = async (
   expiresAt: Date,
 ) => {
   try {
-    await db.insert(sessionUpgradeChallenge).values({
-      sessionId,
-      clientId,
-      answer,
-      allowedIp,
-      expiresAt,
-    });
+    await db
+      .insertInto("session_upgrade_challenge")
+      .values({
+        session_id: sessionId,
+        client_id: clientId,
+        answer,
+        allowed_ip: allowedIp,
+        expires_at: expiresAt,
+      })
+      .execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
+    if (e instanceof pg.DatabaseError && e.code === "23505") {
       throw new IntegrityError("Challenge already registered");
     }
     throw e;
@@ -107,22 +117,17 @@ export const consumeSessionUpgradeChallenge = async (
   answer: string,
   ip: string,
 ) => {
-  const challenges = await db
-    .delete(sessionUpgradeChallenge)
-    .where(
-      and(
-        eq(sessionUpgradeChallenge.sessionId, sessionId),
-        eq(sessionUpgradeChallenge.answer, answer),
-        eq(sessionUpgradeChallenge.allowedIp, ip),
-        gt(sessionUpgradeChallenge.expiresAt, new Date()),
-      ),
-    )
-    .returning({ clientId: sessionUpgradeChallenge.clientId });
-  return challenges[0] ?? null;
+  const challenge = await db
+    .deleteFrom("session_upgrade_challenge")
+    .where("session_id", "=", sessionId)
+    .where("answer", "=", answer)
+    .where("allowed_ip", "=", ip)
+    .where("expires_at", ">", new Date())
+    .returning("client_id")
+    .executeTakeFirst();
+  return challenge ? { clientId: challenge.client_id } : null;
 };
 
 export const cleanupExpiredSessionUpgradeChallenges = async () => {
-  await db
-    .delete(sessionUpgradeChallenge)
-    .where(lte(sessionUpgradeChallenge.expiresAt, new Date()));
+  await db.deleteFrom("session_upgrade_challenge").where("expires_at", "<=", new Date()).execute();
 };

src/lib/server/db/user.ts

@@ -1,21 +1,36 @@
-import { eq } from "drizzle-orm";
-import db from "./drizzle";
-import { user } from "./schema";
+import db from "./kysely";
+
+interface User {
+  id: number;
+  email: string;
+  nickname: string;
+  password: string;
+}
 
 export const getUser = async (userId: number) => {
-  const users = await db.select().from(user).where(eq(user.id, userId)).limit(1);
-  return users[0] ?? null;
+  const user = await db
+    .selectFrom("user")
+    .selectAll()
+    .where("id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return user ? (user satisfies User) : null;
 };
 
 export const getUserByEmail = async (email: string) => {
-  const users = await db.select().from(user).where(eq(user.email, email)).limit(1);
-  return users[0] ?? null;
-};
-
-export const setUserPassword = async (userId: number, password: string) => {
-  await db.update(user).set({ password }).where(eq(user.id, userId));
+  const user = await db
+    .selectFrom("user")
+    .selectAll()
+    .where("email", "=", email)
+    .limit(1)
+    .executeTakeFirst();
+  return user ? (user satisfies User) : null;
 };
 
 export const setUserNickname = async (userId: number, nickname: string) => {
-  await db.update(user).set({ nickname }).where(eq(user.id, userId));
+  await db.updateTable("user").set({ nickname }).where("id", "=", userId).execute();
+};
+
+export const setUserPassword = async (userId: number, password: string) => {
+  await db.updateTable("user").set({ password }).where("id", "=", userId).execute();
 };

src/lib/server/loadenv.ts

@@ -3,11 +3,19 @@ import { building } from "$app/environment";
 import { env } from "$env/dynamic/private";
 
 if (!building) {
+  if (!env.DATABASE_PASSWORD) throw new Error("DATABASE_PASSWORD not set");
   if (!env.SESSION_SECRET) throw new Error("SESSION_SECRET not set");
 }
 
 export default {
-  databaseUrl: env.DATABASE_URL || "local.db",
+  nodeEnv: env.NODE_ENV || "development",
+  database: {
+    host: env.DATABASE_HOST,
+    port: env.DATABASE_PORT ? parseInt(env.DATABASE_PORT, 10) : undefined,
+    user: env.DATABASE_USER,
+    password: env.DATABASE_PASSWORD!,
+    name: env.DATABASE_NAME,
+  },
   session: {
     secret: env.SESSION_SECRET!,
     exp: ms(env.SESSION_EXPIRES || "14d"),

src/lib/server/modules/mek.ts

@@ -21,5 +21,5 @@ export const verifyClientEncMekSig = async (
   }
 
   const data = JSON.stringify({ version, key: encMek });
-  return verifySignature(Buffer.from(data), encMekSig, userClient.client.sigPubKey);
+  return verifySignature(Buffer.from(data), encMekSig, userClient.sigPubKey);
 };

src/lib/server/schemas/auth.ts

@@ -7,7 +7,7 @@ export const passwordChangeRequest = z.object({
 export type PasswordChangeRequest = z.infer<typeof passwordChangeRequest>;
 
 export const loginRequest = z.object({
-  email: z.string().email().nonempty(),
+  email: z.string().email(),
   password: z.string().trim().nonempty(),
 });
 export type LoginRequest = z.infer<typeof loginRequest>;

src/lib/server/schemas/category.ts

@@ -0,0 +1,55 @@
+import { z } from "zod";
+
+export const categoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
+
+export const categoryInfoResponse = z.object({
+  metadata: z
+    .object({
+      parent: categoryIdSchema,
+      mekVersion: z.number().int().positive(),
+      dek: z.string().base64().nonempty(),
+      dekVersion: z.string().datetime(),
+      name: z.string().base64().nonempty(),
+      nameIv: z.string().base64().nonempty(),
+    })
+    .optional(),
+  subCategories: z.number().int().positive().array(),
+});
+export type CategoryInfoResponse = z.infer<typeof categoryInfoResponse>;
+
+export const categoryFileAddRequest = z.object({
+  file: z.number().int().positive(),
+});
+export type CategoryFileAddRequest = z.infer<typeof categoryFileAddRequest>;
+
+export const categoryFileListResponse = z.object({
+  files: z.array(
+    z.object({
+      file: z.number().int().positive(),
+      isRecursive: z.boolean(),
+    }),
+  ),
+});
+export type CategoryFileListResponse = z.infer<typeof categoryFileListResponse>;
+
+export const categoryFileRemoveRequest = z.object({
+  file: z.number().int().positive(),
+});
+export type CategoryFileRemoveRequest = z.infer<typeof categoryFileRemoveRequest>;
+
+export const categoryRenameRequest = z.object({
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type CategoryRenameRequest = z.infer<typeof categoryRenameRequest>;
+
+export const categoryCreateRequest = z.object({
+  parent: categoryIdSchema,
+  mekVersion: z.number().int().positive(),
+  dek: z.string().base64().nonempty(),
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type CategoryCreateRequest = z.infer<typeof categoryCreateRequest>;

src/lib/server/schemas/directory.ts

@@ -1,9 +1,11 @@
 import { z } from "zod";
 
+export const directoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
+
 export const directoryInfoResponse = z.object({
   metadata: z
     .object({
-      parent: z.union([z.enum(["root"]), z.number().int().positive()]),
+      parent: directoryIdSchema,
       mekVersion: z.number().int().positive(),
       dek: z.string().base64().nonempty(),
       dekVersion: z.string().datetime(),
@@ -29,7 +31,7 @@ export const directoryRenameRequest = z.object({
 export type DirectoryRenameRequest = z.infer<typeof directoryRenameRequest>;
 
 export const directoryCreateRequest = z.object({
-  parent: z.union([z.enum(["root"]), z.number().int().positive()]),
+  parent: directoryIdSchema,
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
   dekVersion: z.string().datetime(),