THU-420: E2EE Config Updates

[raivieiraadriano92]

Summary

• E2EE was always-on, requiring the full encryption setup flow before sync could work. This makes both VITE_E2EE_ENABLED (frontend) and E2EE_ENABLED (backend) default to false, so sync works out of the box without encryption.
• Operators must set both env vars to "true" to enable E2EE.

Frontend

• Invert isEncryptionEnabled() to require explicit VITE_E2EE_ENABLED="true"
• Add needsSyncSetupWizard() shared helper used by both sign-in flow and sync toggle
• Skip pending device notification modal when E2EE is disabled
• Update .env.example comments

Backend

• Add e2eeEnabled setting (E2EE_ENABLED env var, default false)
• Skip device trust check in validateDeviceForSync when E2EE is disabled
• Auto-trust devices on upsert when E2EE is disabled (clears stale approvalPending)
• Scope allowNewDevice bypass to token path only — upload still requires device to exist (defense-in-depth)
• Update .env.example with new env var

Docs

• Update docs/e2e-encryption.md Configuration section with both FE and BE env vars

Test plan

• bun test passes in backend (55 powersync tests, 3 new E2EE settings tests)
• make check passes (typecheck, lint, format)
• Fresh deploy with both env vars unset → sync works without encryption wizard
• Both env vars set to "true" → encryption wizard appears on first sync
• Revoked devices are still rejected regardless of E2EE flag

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes sync gating and device trust behavior in powersync token/upload paths; incorrect flag handling could weaken device enforcement or break sync enablement flows.

Overview
E2EE is now disabled by default and controlled by a single backend flag (E2EE_ENABLED), exposed via a new/expanded unauthenticated GET /config response ({ e2eeEnabled }) that the frontend persists in its config store.

PowerSync device enforcement is updated to respect this flag: when E2EE is off, token issuance can create/auto-trust devices (and upgrades existing devices to trusted), while uploads still require an existing non-revoked device; when E2EE is on, the existing trusted-device requirement remains.

On the frontend, isEncryptionEnabled() now reads the persisted backend config (removing VITE_E2EE_ENABLED), adds needsSyncSetupWizard() to gate sync enablement in both sign-in and the sync toggle, and avoids showing pending-device notifications when encryption is disabled; docs/tests are updated accordingly.

^{Reviewed by Cursor Bugbot for commit 834b290. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+139 / -61
JS bundle size (gzipped)	🟢 1.02 MB → 1.02 MB (-175 B, -0.0%)
Test coverage	🟡 70.57% → 70.44% (-0.1%)
Load time (preview)	Preview not ready — Render deploy may have timed out

Updated Tue, 21 Apr 2026 15:08:09 GMT · run #1068

[raivieiraadriano92]

Unhandled promise rejection in handleSignInSuccess: fixed in 5fb96a0
Dynamic import convention violation: fixed in aa14d7b

[raivieiraadriano92]

Fixed in aa14d7b (dynamic import) and 5fb96a0 (async rejection)

[raivieiraadriano92]

Fixed in aa14d7b (dynamic import) and 5fb96a0 (async rejection)

[raivieiraadriano92]

Fixed in aa14d7b (dynamic import) and 5fb96a0 (async rejection)

[raivieiraadriano92]

Fixed in aa14d7b (dynamic import) and 5fb96a0 (async rejection)

[raivieiraadriano92]

Fixed in 9cbe8e2 — fetchConfig now returns null on failure, preserving the cached localStorage value.

[raivieiraadriano92]

Fixed in 9cbe8e2 — fetchConfig now returns null on failure, preserving the cached localStorage value.

[raivieiraadriano92]

E2EE downgrade: fixed in 9cbe8e2. Dynamic import: fixed in aa14d7b. Breaking change: by design.

[raivieiraadriano92]

E2EE downgrade: fixed in 9cbe8e2. Dynamic import: fixed in aa14d7b. Breaking change: by design.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[claude]

No issues found. The initialization is sequential (config fetch → DB init), the sign-in modal renders only after initData is set, and the device upsert correctly upgrades trust on conflict. LGTM.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 834b290. Configure here.}

[cursor]

Encryption decision made twice independently in initialize

Low Severity

isEncryptionEnabled() is read independently in getPowerSyncOptions (to configure transformers and sync worker) and again in initialize (to pick the database class). These two decisions are tightly coupled — ThunderboltPowerSyncDatabase is needed precisely when transformers are included — yet they're made via separate, uncorrelated reads. While safe today because both calls are synchronous with no intervening await, this creates a non-obvious coupling where future modifications could cause an inconsistency between the options and the database class.

Additional Locations (1)

• src/db/powersync/database.ts#L122-L123

 

^{Reviewed by Cursor Bugbot for commit 834b290. Configure here.}