- Add src/lib/ipfs.ts: AES-256-GCM encryption + kubo upload/download
- Add /api/ipfs/[cid] proxy route: decrypt + serve with LRU cache
- Upload route: encrypt + pin to IPFS alongside local disk (fallback)
- Prisma: add ipfsCid/ipfsEncKey fields to File model
- FileUpload: prefer IPFS proxy URL when available
- Feature-flagged via IPFS_ENABLED env var
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements workspace-scoped data isolation via subdomain routing:
- Schema: add workspaceSlug to Notebook model + migration
- Middleware: extract subdomain → x-workspace-slug header
- API: filter notebooks/notes/search by workspace on subdomains
- AppSwitcher: generate <username>.r*.online links when logged in
- Sessions: SubdomainSession component syncs auth across subdomains
via .rnotes.online domain-wide cookie
- Auth: auto-migrate unscoped notebooks to user's workspace
- New /api/me endpoint for client-side auth + workspace state
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett