Problem
Connection passwords are stored as plain TEXT in SQLite with no encryption. The \list()\ method SELECTs the password column, returning all passwords to the frontend over IPC.
Impact
- Any user with access to \connections.db\ can read all database credentials
- Malware or system compromise exposes all saved passwords
- Passwords leak to frontend JavaScript context unnecessarily
Affected Files
- \src-tauri/crates/mas-core/src/connection/store.rs:35,102\
- \src-tauri/crates/mas-core/src/models/connection.rs:13\
Suggested Fix
- Use OS-native credential storage (Keychain, Windows Credential Manager, libsecret)
- Tauri provides \ auri-plugin-keyring\ for this
- At minimum: AES-256 encryption with OS-derived key
- Create \ConnectionProfileSummary\ struct without password for listing
Severity: Critical — Security vulnerability
Problem
Connection passwords are stored as plain TEXT in SQLite with no encryption. The \list()\ method SELECTs the password column, returning all passwords to the frontend over IPC.
Impact
Affected Files
Suggested Fix
Severity: Critical — Security vulnerability