feat: total remove of database encrytpion logic

[arkanoider]

Summary

Completes the SQLite database encryption removal story: runtime already used plain SQLite; this PR removes leftover Docker/env/password documentation drift, aligns RPC and startup docs with actual behavior, and clarifies the backward-compatible ValidateDbPassword stub.

Changes

• Docker: Removed unused MOSTRO_DB_PASSWORD from docker/compose.yml; trimmed docker/ENV_VARIABLES.md and docker/README.md (wording; no DB password env).
• Docs: docs/STARTUP_AND_CONFIG.md — global state snippet matches src/config/mod.rs; removed obsolete MOSTRO_DB_PASSWORD; SQLite-only DB URL examples; note that there is no DB password global.
• Docs: docs/RPC.md — ValidateDbPassword request fields corrected (password only, ignored).
• Docs: docs/RPC_RATE_LIMITING.md — aligned with validate_db_password (ignored password, per-IP check, always success).
• Proto: proto/admin.proto — comments only (backward compat, no DB encryption).
• Example: examples/rpc_client.rs — empty password with comment that server ignores it.

Summary by CodeRabbit

Release Notes

• Chores

  • Removed database encryption and password functionality; databases no longer require password configuration or decryption steps.
  • Removed --decrypt-db CLI option.
  • Updated mostro-core dependency to version 0.8.0.
  • Simplified Docker configuration by removing password environment setup.
  • Updated .gitignore for IDE configuration.

• Documentation

  • Updated startup guide and RPC documentation to reflect removal of database encryption.
  • Clarified ValidateDbPassword RPC endpoint now serves as backward-compatibility stub.

[coderabbitai]

Walkthrough

This PR removes database encryption and password handling infrastructure throughout the codebase. The decrypt_database function, CLI --decrypt-db flag, and MOSTRO_DB_PASSWORD global are eliminated. All encrypted master pubkey storage and decryption operations are replaced with plaintext values. Documentation is updated to reflect these removals.

Changes

Cohort / File(s)	Summary
Build & Dependencies .gitignore, Cargo.toml	Added .cursor to .gitignore. Updated mostro-core from 0.7.1 to 0.8.0 and removed direct dependencies on rpassword, argon2, and secrecy.
CLI Configuration src/cli.rs, src/main.rs	Removed --decrypt-db boolean flag from CLI interface. Updated settings_init return type from Result<bool, ...> to Result<(), ...>. Removed decrypt-database conditional flow from startup.
Docker & Deployment docker/README.md, docker/compose.yml	Removed documentation and environment configuration for MOSTRO_DB_PASSWORD. Updated step numbering and MOSTRO_RELAY_LOCAL_PORT guidance in Docker Compose README.
Documentation docs/RPC.md, docs/RPC_RATE_LIMITING.md, docs/STARTUP_AND_CONFIG.md, proto/admin.proto	Updated RPC documentation to reflect ValidateDbPassword as backward-compatibility stub with ignored password field. Removed database encryption workflow from startup docs. Updated ValidateDbPasswordRequest protobuf comments. Removed references to interactive password setup and MOSTRO_DB_PASSWORD global.
Database Core src/db.rs	Deleted decrypt_database() function entirely (182 lines including argon2 verification and transactional pubkey decryption). Removed encryption/decryption test logic. Updated inline comments to reflect plaintext pubkey storage.
Application Logic — Master Pubkey Storage src/app/release.rs, src/app/take_buy.rs, src/app/take_sell.rs, src/util.rs	Replaced CryptoUtils::store_encrypted() calls with direct plaintext to_string() assignments for master_buyer_pubkey and master_seller_pubkey. Removed salt generation and encryption plumbing.
Application Logic — Pubkey Retrieval & Privacy src/app/admin_take_dispute.rs, src/app/rate_user.rs, src/app/trade_pubkey.rs	Updated calls to order.is_full_privacy_order() / get_master_buyer_pubkey() / get_master_seller_pubkey() to remove None parameter. Removed decryption operations; now using plaintext values directly.
Utility & Service src/util.rs, src/rpc/service.rs, examples/rpc_client.rs	Removed CryptoUtils::decrypt_data() calls from notify_taker_reputation. Updated validate_db_password comment wording. Removed MOSTRO_DB_TEST_PASSWORD environment reading from example client; now sends empty password string.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• refactor: remove dual encrypted/unencrypted code paths in db.rs #646 — Both PRs consolidate non-encrypted SQL code paths and remove encrypted-database infrastructure from src/db.rs.
• refactor: remove password infrastructure and all encryption code paths #647 — Removes identical database password/encryption infrastructure, including MOSTRO_DB_PASSWORD, decrypt flows, CLI password flags, and CryptoUtils encryption/decryption call sites.
• refactor: add --decrypt-db CLI command for database migration #644 — Introduces the --decrypt-db CLI flag and decrypt_database function; this PR removes both.

Suggested reviewers

• Catrya
• grunch

Poem

🐰 Encryption's gone, passwords are no more,
Plaintext pubkeys dance across the store!
No salts, no hashes, just strings so clear,
Mostro hops forward, encryption's last year! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: total remove of database encrytpion logic' contains a typo ('encrytpion' instead of 'encryption') and describes the main objective of the PR—removing database encryption logic—which aligns with the substantial changes across the codebase, documentation, configuration, and examples.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Important

Merge conflicts detected (Beta)

• Resolve merge conflict in branch encryption-removed

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch encryption-removed

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/README.md (1)

65-77: ⚠️ Potential issue | 🟡 Minor

Avoid telling readers to start Compose twice.

Both Step 4 examples already invoke make docker-up, so Step 5 asks readers to run the same startup command again. Either make Step 4 only set MOSTRO_RELAY_LOCAL_PORT, or make Step 5 conditional on not using the inline form.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/README.md` around lines 65 - 77, The README currently shows two
examples in Step 4 that both run `make docker-up`, causing Step 5 to repeat the
same startup command; update the examples so Step 4 only demonstrates setting
the MOSTRO_RELAY_LOCAL_PORT environment variable (e.g., use `export
MOSTRO_RELAY_LOCAL_PORT=7000` and `MOSTRO_RELAY_LOCAL_PORT=7000` forms without
`make docker-up`) or alternatively make Step 5 state “If you haven’t already run
`make docker-up`, run it now” to avoid instructing users to start Compose twice;
modify the text around MOSTRO_RELAY_LOCAL_PORT and `make docker-up` accordingly
to remove the duplicate invocation.

🧹 Nitpick comments (1)

docs/STARTUP_AND_CONFIG.md (1)

86-88: Drop the hardcoded line range in this section.

src/config/types.rs:21-26 will drift quickly. Please reference just src/config/types.rs or the relevant config type instead.

As per coding guidelines: "Do not hardcode source code line numbers in documentation. Reference file paths (e.g., src/app/take_buy.rs) or function names (e.g., fn take_buy_action) instead, which are stable and searchable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/STARTUP_AND_CONFIG.md` around lines 86 - 88, Remove the hardcoded line
range "src/config/types.rs:21-26" from the Database docs and instead reference
the source file and config type (e.g., src/config/types.rs and the Database
config struct/type that defines `url`) or the specific config field names
(`url`) so the doc points to stable, searchable identifiers rather than volatile
line numbers; update the text to say something like "see src/config/types.rs
(Database config/type) for the `url` field" and keep the existing examples.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Cargo.toml`:
- Line 73: The Cargo.toml dependency points to a non-existent release
"mostro-core = { version = \"0.8.0\", features = [\"sqlx\"] }"; update it to a
published version or revert to the last released version (e.g., change the
mostro-core version string from "0.8.0" to "0.7.1") or replace it with a
path/git dependency until upstream publishes 0.8.0; look for the dependency
entry named mostro-core in Cargo.toml and either set version = "0.7.1" or switch
to an appropriate git/path override referencing the branch/commit that contains
the 0.8.0 changes.

In `@docs/RPC_RATE_LIMITING.md`:
- Around line 5-12: Update the docs to clearly state that failed-attempt
backoff/lockout are generic capabilities of the in-memory rate limiter
(src/rpc/rate_limiter.rs) and not exercised by the current ValidateDbPassword
RPC stub; explicitly note that the validate_db_password handler in
src/rpc/service.rs only calls record_success and ignores the password, and
either remove or re-label paragraphs that describe failure/lockout behavior as
“generic limiter behavior (not used by ValidateDbPassword)”; ensure references
to ValidateDbPassword, validate_db_password, and record_success are used so
readers can map the doc to the implementation.

In `@docs/STARTUP_AND_CONFIG.md`:
- Around line 87-88: The docs example shows a SQLite URL using a tilde
(`sqlite://~/.mostro/mostro.db`) which SQLx does not expand; update the `url`
example in the STARTUP_AND_CONFIG.md section describing the `url` (String)
database connection to remove the tilde example and replace it with either a
fully expanded absolute path (e.g., `sqlite:///home/user/.mostro/mostro.db`) or
a relative path (e.g., `sqlite://mostro.db`) so the `url` example is valid for
SQLx's parser.

---

Outside diff comments:
In `@docker/README.md`:
- Around line 65-77: The README currently shows two examples in Step 4 that both
run `make docker-up`, causing Step 5 to repeat the same startup command; update
the examples so Step 4 only demonstrates setting the MOSTRO_RELAY_LOCAL_PORT
environment variable (e.g., use `export MOSTRO_RELAY_LOCAL_PORT=7000` and
`MOSTRO_RELAY_LOCAL_PORT=7000` forms without `make docker-up`) or alternatively
make Step 5 state “If you haven’t already run `make docker-up`, run it now” to
avoid instructing users to start Compose twice; modify the text around
MOSTRO_RELAY_LOCAL_PORT and `make docker-up` accordingly to remove the duplicate
invocation.

---

Nitpick comments:
In `@docs/STARTUP_AND_CONFIG.md`:
- Around line 86-88: Remove the hardcoded line range "src/config/types.rs:21-26"
from the Database docs and instead reference the source file and config type
(e.g., src/config/types.rs and the Database config struct/type that defines
`url`) or the specific config field names (`url`) so the doc points to stable,
searchable identifiers rather than volatile line numbers; update the text to say
something like "see src/config/types.rs (Database config/type) for the `url`
field" and keep the existing examples.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8bef6ff8-89cc-4d55-b8a5-d140cf05dec6

📥 Commits

Reviewing files that changed from the base of the PR and between 2f99d57 and 213c1a2.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (20)

• .gitignore
• Cargo.toml
• docker/README.md
• docker/compose.yml
• docs/RPC.md
• docs/RPC_RATE_LIMITING.md
• docs/STARTUP_AND_CONFIG.md
• examples/rpc_client.rs
• proto/admin.proto
• src/app/admin_take_dispute.rs
• src/app/rate_user.rs
• src/app/release.rs
• src/app/take_buy.rs
• src/app/take_sell.rs
• src/app/trade_pubkey.rs
• src/cli.rs
• src/db.rs
• src/main.rs
• src/rpc/service.rs
• src/util.rs

💤 Files with no reviewable changes (1)

• docker/compose.yml

[arkanoider]

@coderabbitai check again https://crates.io/crates/mostro-core
v 8.0.0 is alive!

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

The search results show the versions page listing only up to 0.7.1. Let me check the specific 0.8.0 page directly.

@arkanoider: I appreciate the heads-up! My web search results are still returning 0.7.1 as the latest mostro-core version on crates.io — it's possible the search index hasn't caught up yet with a very recent publish.

If 0.8.0 is now live on crates.io as you confirm, then the dependency bump in Cargo.toml is valid. Could you share the direct link to https://crates.io/crates/mostro-core/0.8.0 so I can update my review comment accordingly? Once confirmed, I'll resolve the related review comment.

---

🧠 Learnings used

Learnt from: grunch
Repo: MostroP2P/mostro PR: 646
File: src/db.rs:1189-1198
Timestamp: 2026-03-10T19:02:36.608Z
Learning: In MostroP2P/mostro issue `#642`, the removal of database encryption is a phased migration: Phase 3 (PR `#645`) decrypts all master_buyer_pubkey and master_seller_pubkey values in-place to plaintext, and Phase 4 (PR `#646`) removes the dual encrypted/unencrypted code paths from db.rs. These PRs must be merged in order. By the time Phase 4 lands on main, all master_*_pubkey columns are already plaintext, so direct SQL equality comparisons (WHERE master_buyer_pubkey = ?) are correct and no decrypt-and-compare fallback is needed.

---

Learnt from: grunch
Repo: MostroP2P/mostro PR: 646
File: src/db.rs:1317-1336
Timestamp: 2026-03-10T19:02:57.650Z
Learning: In the MostroP2P/mostro codebase, the migration issue `#642` is split into phases. Phase 3 (PR `#645`) migrates all master_buyer_pubkey and master_seller_pubkey columns from encrypted (CryptoUtils::store_encrypted) to plaintext storage. Phase 4 (PR `#646`, src/db.rs) removes the encrypted code paths and relies exclusively on direct SQL equality (WHERE master_buyer_pubkey = ?) for restore-session queries (find_user_orders_by_master_key, find_user_disputes_by_master_key, has_pending_order_with_status). After Phase 3 is applied, no in-memory decryption fallback is needed for these columns; direct comparison is correct.

---

Learnt from: CR
Repo: MostroP2P/mostro PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-11T20:28:57.988Z
Learning: Base work on `main` branch; keep topics scoped. Squash fixups before review. PRs should link the motivating issue, include `cargo test` output, and call out schema or config changes.

[arkanoider]

Ok @coderabbitai try fetching from version API:

https://crates.io/api/v1/crates/mostro-core

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

The web search still shows 0.7.1 as the latest. Let me try fetching the API directly via a shell script.

---

🏁 Script executed:

#!/bin/bash
curl -s "https://crates.io/api/v1/crates/mostro-core" \
  -H "User-Agent: coderabbitai-bot/1.0" \
  | python3 -c "
import json, sys
data = json.load(sys.stdin)
crate = data.get('crate', {})
print('Newest version:', crate.get('newest_version'))
print('Max version:', crate.get('max_version'))
versions = data.get('versions', [])
print('\\nAll versions (top 10):')
for v in versions[:10]:
    print(' -', v.get('num'), '| published:', v.get('updated_at'), '| yanked:', v.get('yanked'))
"

Length of output: 731

---

@arkanoider: Confirmed! The crates.io API makes it crystal clear:

• mostro-core 0.8.0 is live, published on 2026-03-18, and is not yanked.
• It is both the newest_version and max_version on the registry.

The Cargo.toml bump from 0.7.1 → 0.8.0 is fully valid. I apologize for the earlier confusion — my web search index was just lagging behind the actual registry. The dependency update in this PR is correct. ✅

---

🧠 Learnings used

Learnt from: grunch
Repo: MostroP2P/mostro PR: 646
File: src/db.rs:1317-1336
Timestamp: 2026-03-10T19:02:57.650Z
Learning: In the MostroP2P/mostro codebase, the migration issue `#642` is split into phases. Phase 3 (PR `#645`) migrates all master_buyer_pubkey and master_seller_pubkey columns from encrypted (CryptoUtils::store_encrypted) to plaintext storage. Phase 4 (PR `#646`, src/db.rs) removes the encrypted code paths and relies exclusively on direct SQL equality (WHERE master_buyer_pubkey = ?) for restore-session queries (find_user_orders_by_master_key, find_user_disputes_by_master_key, has_pending_order_with_status). After Phase 3 is applied, no in-memory decryption fallback is needed for these columns; direct comparison is correct.

---

Learnt from: grunch
Repo: MostroP2P/mostro PR: 646
File: src/db.rs:1189-1198
Timestamp: 2026-03-10T19:02:36.608Z
Learning: In MostroP2P/mostro issue `#642`, the removal of database encryption is a phased migration: Phase 3 (PR `#645`) decrypts all master_buyer_pubkey and master_seller_pubkey values in-place to plaintext, and Phase 4 (PR `#646`) removes the dual encrypted/unencrypted code paths from db.rs. These PRs must be merged in order. By the time Phase 4 lands on main, all master_*_pubkey columns are already plaintext, so direct SQL equality comparisons (WHERE master_buyer_pubkey = ?) are correct and no decrypt-and-compare fallback is needed.

---

Learnt from: CR
Repo: MostroP2P/mostro PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-11T20:28:57.988Z
Learning: Base work on `main` branch; keep topics scoped. Squash fixups before review. PRs should link the motivating issue, include `cargo test` output, and call out schema or config changes.

[mostronatorcoder]

Review Summary

Scope

Documentation and cleanup PR completing the SQLite encryption removal story. Removes unused:

• MOSTRO_DB_PASSWORD from Docker config
• rpassword, argon2, secrecy crates
• Obsolete documentation

CI Status

✅ All checks passing (build, test, MSRV, fmt, clippy)

Code Changes

src/util.rs: Variable rename user_decrypted_key → master_key. Purely cosmetic — aligns naming with the fact that there is no decryption happening anymore. LGTM.

Cargo.toml: Bumps mostro-core to 0.8.0. CI passes with this version, confirming it exists on crates.io.

Documentation

File	Assessment
docs/RPC.md	Good, clarifies ValidateDbPassword is backward-compat stub
docs/RPC_RATE_LIMITING.md	Needs clarification (see below)
docs/STARTUP_AND_CONFIG.md	Good, SQLx tilde note is accurate
docker/README.md, docker/compose.yml	Good cleanup
proto/admin.proto	Good comment updates
examples/rpc_client.rs	Good, empty password with comment

CodeRabbit Issue (Minor)

docs/RPC_RATE_LIMITING.md: The intro now correctly states that validate_db_password only calls record_success and ignores the password. However, the table showing "Failed Attempts" and "Lockout" behavior still reads as if it applies to this endpoint.

Suggestion: Add a note before the table like:

> **Note:** The following describes the generic `RateLimiter` capabilities. The current `ValidateDbPassword` handler does not call `record_failure`, so these behaviors are not exercised by that endpoint.

Verdict

Approve — The changes are correct and CI passes. The documentation clarification is minor and can be addressed in a follow-up if desired.

LGTM 🦀