feat: Implement database encryption and improve testing for WasmJs

- **Database Encryption**:
    - Migrate to `SQLite3MultipleCiphers` WASM to support encryption (AES) in the browser via OPFS.
    - Implement `encrypt`, `decrypt`, and `rekey` operations in `WebSafeRepo` using `PRAGMA key` and `PRAGMA rekey` statements.
    - Update `sqlite.worker.js` to attempt initialization with the `multipleciphers-opfs` VFS, falling back to standard `opfs` if unavailable.
    - Introduce a database readability check in `WebSafeRepo` to detect encrypted databases and handle incorrect keys.

- **Testing Infrastructure**:
    - Add a comprehensive Karma configuration (`wasm-config.js`) to handle WASM file serving, middleware redirects, and extended timeouts for WasmGC compilation.
    - Implement `isKarmaTestRunner()` check in `main.kt` to prevent production app initialization during UI tests.
    - Auto-detect local Chrome/Chromium binaries for running Karma tests across different operating systems.
    - Expand `WebUiTests` with specific test cases for CRUD, encryption flows, and backup features.
    - Add `SimpleWasmTest` to verify basic Compose and arithmetic functionality on the WasmJs platform.

- **Build & Documentation**:
    - Update `build.gradle.kts` to automate the download and extraction of `SQLite3MultipleCiphers` WASM artifacts.
    - Update project `README.md` and 8 `OPFS_IMPLEMENTATION.md` to reflect new encryption capabilities for the Web platform.
    - Synchronize `sqlite.worker.js` implementation across app and test source sets.
    - Standardize `WebSafeRepo` to use `PlatformSQLiteState` for tracking encryption status.

Author: softartdev

README.md

@@ -34,15 +34,15 @@ Supported platforms:
 
 ![Architecture blueprint for this project](docs/diagrams/architecture.png)
 
-## WORK IN PROGRESS 🛠
+## FEATURES ✨
 
 | feature \ platform | Android | iOS | Desktop Java | Web |
 |:------------------:|:-------:|:---:|:------------:|:---:|
 |      database      |    ✅    | ✅	  |      ✅	      |  ✅  |
-|     encryption     |    ✅    | ✅ 	 |      ✅	      |     |
+|     encryption     |    ✅    | ✅ 	 |      ✅	      |  ✅  |
 |       backup       |    ✅    | ✅	  |      ✅	      |  ✅  |
 
-Check out [CONTRIBUTING.md](/CONTRIBUTING.md) if you want to develop missing features.
+Interested in contributing new features or fixes? Check out [CONTRIBUTING.md](/CONTRIBUTING.md).
 
 ## CONTINUOUS INTEGRATION / DELIVERY ♻️
 

app/web/README.md

@@ -84,10 +84,10 @@ HTML entry point:
 
 ### Database
 
-- **Official SQLite WASM**: Native SQLite compiled to WebAssembly
+- **SQLite3MultipleCiphers WASM**: SQLite with encryption support compiled to WebAssembly
 - **OPFS Storage**: Origin-Private FileSystem for persistent database storage
 - **Web Worker**: Database operations run off the main thread
-- **No encryption**: SQLCipher not available in browsers
+- **Encryption ready**: [SQLite3MultipleCiphers](https://github.com/utelle/SQLite3MultipleCiphers) provides cipher support in the browser
 
 ### Webpack
 
@@ -124,7 +124,7 @@ build/dist/wasmJs/productionExecutable/
 ├── composeApp.wasm              # Application WebAssembly binary
 ├── skiko.wasm                   # Skia graphics engine
 ├── sqlite3.js                   # SQLite JavaScript
-├── sqlite3.wasm                 # Official SQLite WASM
+├── sqlite3.wasm                 # SQLite3MultipleCiphers WASM (with encryption)
 ├── sqlite.worker.js             # Custom OPFS worker
 ├── coi-serviceworker.js         # Service worker for headers
 └── sql-wasm.wasm               # Legacy SQL.js (fallback)
@@ -280,7 +280,7 @@ fun isWasmSupported(): Boolean = js("""
 
 ### Current Limitations
 
-1. ❌ **No encryption**: SQLCipher not available in browsers
+1. ✅ **Encryption**: [SQLite3MultipleCiphers](https://github.com/utelle/SQLite3MultipleCiphers) WASM provides encrypt/decrypt/rekey via `PRAGMA key`/`PRAGMA rekey`
 2. ✅ **Storage**: OPFS provides persistent database storage
 3. ⚠️ **File access**: Restricted browser file API
 4. ⚠️ **Performance**: Slower than native (improving)
@@ -309,7 +309,7 @@ The web app now uses OPFS (Origin-Private FileSystem) for persistent database st
 - ✅ **Persistent storage**: Survives browser sessions
 - ✅ **Better performance**: Direct file system access  
 - ✅ **Larger capacity**: Not limited by IndexedDB quotas
-- ✅ **Real SQLite**: Uses official SQLite WASM build
+- ✅ **Real SQLite with encryption**: Uses SQLite3MultipleCiphers WASM build
 
 ### Browser Support
 
@@ -506,7 +506,7 @@ When working with this module:
 3. **Size matters**: Minimize bundle size
 4. **Progressive enhancement**: Detect and use modern APIs gracefully
 5. **Testing**: Test in multiple browsers
-6. **Security**: No sensitive data without encryption
+6. **Security**: Encryption available via SQLite3MultipleCiphers
 7. **Performance**: Profile and optimize load time
 8. **Responsive**: Support mobile and desktop browsers
 9. **Accessibility**: Follow WCAG guidelines

app/web/build.gradle.kts

@@ -16,27 +16,22 @@ kotlin {
     wasmJs {
         outputModuleName.set("composeApp")
         browser {
-            val rootDirPath = project.rootDir.path
-            val projectDirPath = project.projectDir.path
-            testTask {
-                useKarma {
-                    useChrome()
-                    useChromeHeadless()
-                }
-            }
+            val rootDirPath: String = project.rootDir.path
+            val projectDirPath: String = project.projectDir.path
             commonWebpackConfig {
                 outputFileName = "composeApp.js"
                 devServer = (devServer ?: KotlinWebpackConfig.DevServer()).apply {
-                    // Serve sources to debug inside browser
+                    // Serve sources to debug inside the browser
                     static(rootDirPath)
                     static(projectDirPath)
                 }
             }
+            testTask { useKarma { useChromeHeadless() } }
         }
         binaries.executable()
     }
     sourceSets {
-        val wasmJsMain by getting {
+        wasmJsMain {
             dependencies {
                 implementation(projects.core.domain)
                 implementation(projects.core.presentation)
@@ -49,37 +44,61 @@ kotlin {
             }
             resources.srcDir(layout.buildDirectory.dir("sqlite"))
         }
-        val wasmJsTest by getting {
+        wasmJsTest {
             dependencies {
                 implementation(kotlin("test"))
                 implementation(projects.ui.test)
                 implementation(libs.compose.ui.test)
+                implementation(libs.compose.material3)
                 implementation(libs.compose.material.icons.extended)
                 implementation(libs.androidx.lifecycle.runtime.compose)
                 implementation(libs.androidx.lifecycle.runtime.testing)
+                implementation(libs.androidx.paging.common)
             }
             resources.srcDir(layout.buildDirectory.dir("sqlite"))
         }
     }
 }
 
-val chromeBinaryFromEnv = providers.environmentVariable("CHROME_BIN").orNull
-val hasChromeForTests = chromeBinaryFromEnv?.let { file(it).exists() } == true
+// Chrome binary for Karma tests.
+// Auto-detects Chrome on macOS/Linux/Windows when CHROME_BIN is not set.
+// NOTE: WasmGC module compilation in Chrome is very slow for large modules (~30 MB test WASM).
+// The main() function is guarded with isKarmaTestRunner() check to prevent the production app
+// from launching during tests (see main.kt).
+val defaultChromePaths: List<String> = listOf(
+    "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",          // macOS
+    "/usr/bin/google-chrome-stable",                                         // Linux (stable)
+    "/usr/bin/google-chrome",                                                // Linux
+    "/usr/bin/chromium-browser",                                             // Linux (Chromium)
+    "/usr/bin/chromium",                                                     // Linux (Chromium alt)
+    "C:/Program Files/Google/Chrome/Application/chrome.exe",                 // Windows
+    "C:/Program Files (x86)/Google/Chrome/Application/chrome.exe",           // Windows x86
+)
+val chromeBinary: String? = providers.environmentVariable("CHROME_BIN").orNull
+    ?: defaultChromePaths.firstOrNull { file(it).exists() }
 
 tasks.named<KotlinJsTest>("wasmJsBrowserTest").configure {
-    enabled = hasChromeForTests
+    enabled = chromeBinary != null
+    if (chromeBinary != null) {
+        environment("CHROME_BIN", chromeBinary)
+    }
 }
 
-val sqliteVersion = 3500400 // See https://sqlite.org/download.html for the latest wasm build version
-val sqliteDownload = tasks.register("sqliteDownload", Download::class.java) {
-    src("https://sqlite.org/2025/sqlite-wasm-$sqliteVersion.zip")
+// SQLite3MultipleCiphers WASM build with encryption support
+// See https://github.com/utelle/SQLite3MultipleCiphers/releases for the latest version
+val sqlite3mcVersion = "2.2.7"
+val sqliteVersion = "3.51.2"
+val sqliteWasmVersion = "3510200"
+val sqlite3mcZip = "sqlite3mc-$sqlite3mcVersion-sqlite-$sqliteVersion-wasm.zip"
+val sqliteDownload: Provider<Download> = tasks.register("sqliteDownload", Download::class.java) {
+    src("https://github.com/utelle/SQLite3MultipleCiphers/releases/download/v$sqlite3mcVersion/$sqlite3mcZip")
     dest(layout.buildDirectory.dir("tmp"))
     onlyIfModified(true)
 }
-val sqliteUnzip = tasks.register("sqliteUnzip", Copy::class.java) {
+val sqliteUnzip: TaskProvider<Copy> = tasks.register("sqliteUnzip", Copy::class.java) {
     dependsOn(sqliteDownload)
-    from(zipTree(layout.buildDirectory.dir("tmp/sqlite-wasm-$sqliteVersion.zip"))) {
-        include("sqlite-wasm-$sqliteVersion/jswasm/**")
+    from(zipTree(layout.buildDirectory.dir("tmp/$sqlite3mcZip"))) {
+        include("sqlite3mc-wasm-$sqliteWasmVersion/jswasm/**")
         exclude("**/*worker1*") // We use our own worker
         eachFile {
             relativePath = RelativePath(true, *relativePath.segments.drop(2).toTypedArray())

app/web/karma.config.d/wasm-config.js

@@ -0,0 +1,131 @@
+// Karma configuration for Compose WASM UI tests
+//
+// Key issues this config solves:
+// 1. WASM file serving: webpack bundles JS but not .wasm files. The bundled code
+//    tries to fetch .wasm relative to import.meta.url (a webpack temp path).
+//    We add a middleware to redirect .wasm requests to the correct location.
+// 2. Timeouts: WasmGC module (~30 MB) compilation blocks the main thread during init.
+// 3. Source-map performance: skipping source-map-loader for large WASM glue files.
+
+const path = require('path');
+const fs = require('fs');
+
+function findRepoRoot(startDir) {
+    let current = startDir;
+    while (current !== path.dirname(current)) {
+        if (
+            fs.existsSync(path.join(current, 'settings.gradle.kts')) ||
+            fs.existsSync(path.join(current, 'settings.gradle'))
+        ) {
+            return current;
+        }
+        current = path.dirname(current);
+    }
+    return startDir;
+}
+
+const repoRoot = findRepoRoot(process.cwd());
+const composeResourcesAbsolutePath = path.resolve(
+    repoRoot,
+    'app',
+    'web',
+    'build',
+    'processedResources',
+    'wasmJs',
+    'main',
+    'composeResources'
+).replace(/\\/g, '/');
+
+// Middleware to serve .wasm files from the correct location
+// Webpack sets import.meta.url to a temp directory, so fetch('x.wasm') goes to the
+// wrong path. This middleware intercepts .wasm requests and serves them from kotlin/.
+function wasmFileMiddleware(config) {
+    const basePath = config.basePath;
+    const composeResourcesRoot = path.resolve(
+        repoRoot,
+        'app',
+        'web',
+        'build',
+        'processedResources',
+        'wasmJs',
+        'main'
+    );
+    return function(req, res, next) {
+        const cleanUrl = req.url.split('?')[0];
+
+        if (cleanUrl.includes('/composeResources/')) {
+            const composeIndex = cleanUrl.indexOf('/composeResources/');
+            const relativePath = cleanUrl.substring(composeIndex + 1);
+            const resourcePath = path.join(composeResourcesRoot, relativePath);
+            if (fs.existsSync(resourcePath)) {
+                res.setHeader('Content-Type', 'application/octet-stream');
+                fs.createReadStream(resourcePath).pipe(res);
+                return;
+            }
+        }
+        if (cleanUrl.endsWith('.wasm') && !cleanUrl.endsWith('sql-wasm.wasm')) {
+            const filename = path.basename(cleanUrl);
+            const wasmPath = path.join(basePath, 'kotlin', filename);
+            if (fs.existsSync(wasmPath)) {
+                res.setHeader('Content-Type', 'application/wasm');
+                res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
+                res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
+                fs.createReadStream(wasmPath).pipe(res);
+                return;
+            }
+        }
+        next();
+    };
+}
+
+// Register middleware as an inline Karma plugin
+config.plugins = config.plugins || [];
+config.plugins.push({
+    'middleware:wasmFileServer': ['factory', function() {
+        return wasmFileMiddleware(config);
+    }]
+});
+
+config.set({
+    beforeMiddleware: ['wasmFileServer'],
+    middleware: ['wasmFileServer'],
+    proxies: Object.assign({}, config.proxies, {
+        '/composeResources/': `/absolute/${composeResourcesAbsolutePath}/`
+    }),
+
+    // WasmGC compilation blocks the main thread for ~15-18 min on the first run.
+    // pingTimeout must exceed compilation time so the socket stays alive.
+    pingTimeout: 1200000, // 20 min
+    browserSocketTimeout: 1200000, // 20 min
+    browserNoActivityTimeout: 1500000, // 25 min
+    browserDisconnectTimeout: 60000, // 1 min
+    browserDisconnectTolerance: 1,
+    captureTimeout: 60000, // 1 min
+    processKillTimeout: 5000, // 5 sec
+
+    client: {
+        mocha: {
+            timeout: 60000 // 1 min
+        }
+    },
+
+    customLaunchers: {
+        ChromeHeadlessForWasm: {
+            base: 'ChromeHeadless',
+            flags: [
+                '--no-sandbox',
+                '--enable-features=SharedArrayBuffer'
+            ]
+        }
+    },
+    browsers: ['ChromeHeadlessForWasm']
+});
+
+// Speed up webpack compilation by skipping source-map-loader for large WASM glue files.
+if (config.webpack && config.webpack.module && config.webpack.module.rules) {
+    config.webpack.module.rules.forEach(function(rule) {
+        if (rule.use && rule.use.indexOf('source-map-loader') !== -1) {
+            rule.exclude = [/skiko\.m?js$/, /\.uninstantiated\.m?js$/];
+        }
+    });
+}

app/web/src/wasmJsMain/kotlin/com/softartdev/notedelight/main.kt

@@ -1,4 +1,4 @@
-@file:OptIn(ExperimentalComposeUiApi::class)
+@file:OptIn(ExperimentalComposeUiApi::class, ExperimentalWasmJsInterop::class)
 
 package com.softartdev.notedelight
 
@@ -13,6 +13,7 @@ import kotlinx.browser.document
 import org.koin.core.context.startKoin
 
 fun main() {
+    if (isKarmaTestRunner()) return
     Logger.setTag(DEFAULT_APP_LOG_TAG)
     startKoin {
         kermitLogger()
@@ -22,3 +23,6 @@ fun main() {
         App()
     }
 }
+
+@JsFun("() => typeof window !== 'undefined' && window.__karma__ != null")
+private external fun isKarmaTestRunner(): Boolean

app/web/src/wasmJsMain/resources/sqlite.worker.js

@@ -13,9 +13,22 @@ let db = null;
 async function createDatabase() {
   if (sqlite3Available) {
     const sqlite3 = await sqlite3InitModule();
+    const capi = sqlite3.capi;
 
-    // This is the key part for OPFS support
-    // It instructs SQLite to use the OPFS VFS.
+    // Try opfs VFS with encryption wrapper (sqlite3mc).
+    // The regular "opfs" VFS stores files in the OPFS root directory,
+    // which is required for export/import to work via navigator.storage.getDirectory().
+    try {
+      const rc = capi.sqlite3mc_vfs_create("opfs", 0);
+      if (rc === 0) {
+        db = new sqlite3.oo1.DB("file:database.db?vfs=multipleciphers-opfs", "c");
+        return;
+      }
+    } catch (error) {
+      // multipleciphers-opfs not available
+    }
+
+    // Fallback: try opfs without encryption
     try {
       db = new sqlite3.oo1.DB("file:database.db?vfs=opfs", "c");
       return;