{"id":48790753,"url":"https://github.com/divyamohan1993/shadownotes","last_synced_at":"2026-04-13T19:43:56.884Z","repository":{"id":339976441,"uuid":"1164045035","full_name":"divyamohan1993/shadownotes","owner":"divyamohan1993","description":"ShadowNotes — Offline-first encrypted field intelligence app. Voice → on-device AI → structured notes. Zero data leaves your device. Built with React, RunAnywhere SDK (Qwen2.5 LLM, Whisper STT, Piper TTS), WebAuthn, AES-256-GCM.","archived":false,"fork":false,"pushed_at":"2026-03-13T07:27:47.000Z","size":2464,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T19:43:55.492Z","etag":null,"topics":["dmjone","encryption","field-notes","hackathon","offline-first","on-device-ai","privacy-first","pwa","react","runanywhere-sdks","speech-to-text","typescript","vibe-coding","vite","voice-recognition","wasm","webauthn"],"latest_commit_sha":null,"homepage":"https://shadownotes.dmj.one","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/divyamohan1993.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-22T15:00:13.000Z","updated_at":"2026-03-13T07:27:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/divyamohan1993/shadownotes","commit_stats":null,"previous_names":["divyamohan1993/shadownotes"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/divyamohan1993/shadownotes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/divyamohan1993%2Fshadownotes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/divyamohan1993%2Fshadownotes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/divyamohan1993%2Fshadownotes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/divyamohan1993%2Fshadownotes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/divyamohan1993","download_url":"https://codeload.github.com/divyamohan1993/shadownotes/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/divyamohan1993%2Fshadownotes/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31768649,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T15:25:13.801Z","status":"ssl_error","status_checked_at":"2026-04-13T15:25:09.162Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dmjone","encryption","field-notes","hackathon","offline-first","on-device-ai","privacy-first","pwa","react","runanywhere-sdks","speech-to-text","typescript","vibe-coding","vite","voice-recognition","wasm","webauthn"],"created_at":"2026-04-13T19:43:55.957Z","updated_at":"2026-04-13T19:43:56.867Z","avatar_url":"https://github.com/divyamohan1993.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ShadowNotes\n\n**The first on-device AI notebook for air-gapped intelligence work** — voice capture, streaming AI extraction, and zero-trace ephemeral storage, all running in your browser via WebAssembly.\n\n\u003e No cloud. No API keys. No servers. No trace. Every byte of AI processing runs on YOUR device.\n\n[Live Demo](https://shadownotes.dmj.one) | [Demo Video](https://youtube.com/watch?v=qqV9ezvwY6U) | [Field Manual](https://shadownotes.dmj.one/docs/field-manual.html) | [About the Hackathon \u0026 Vision](docs/vision-india2047.md)\n\n---\n\n## The Vision — Atmanirbhar Bharat meets India 2047\n\nShadowNotes is built with the spirit of **Atmanirbhar Bharat** (Self-Reliant India) and the **#India2047** vision at its core. Built for the [RunAnywhere Vibe Challenge](https://vibechallenge.runanywhere.org/) hackathon, facilitated by **ThoughtWorks Technologies**, this project demonstrates that critical AI-powered tools handling sensitive data — medical records, legal depositions, security audits, incident reports — must not depend on foreign cloud infrastructure.\n\nAs **Prof. Yoshua Bengio** (Turing Award 2018, Université de Montréal) emphasized at the **AI Impact Summit**, responsible AI deployment requires privacy by design, data governance, and democratization of AI capabilities. ShadowNotes answers this call: **every byte of AI processing runs on the user's device**, with zero network transmission of data — not as a privacy policy, but as an architectural guarantee.\n\n**Why this matters for India:**\n- Physicians in rural clinics can dictate AI-powered prescriptions without internet connectivity\n- Security auditors can document vulnerabilities without data leaving Indian soil\n- Legal practitioners can transcribe depositions with full attorney-client privilege\n- Incident responders can capture real-time intelligence at disaster sites, fully offline\n\nEach domain carries a Hindi name honouring India's heritage: **Sanjeevani** (Medical — \"The Life-Giving Herb\"), **Kavach** (Security — \"The Divine Shield\"), **Nyaaya** (Legal — \"The Path of Justice\"), **Prahari** (Incident — \"The Vigilant Sentinel\").\n\n\u003e Read the full vision: [About the Hackathon \u0026 India 2047 Vision](docs/vision-india2047.md)\n\n---\n\n## The Problem\n\nProfessionals handling classified, HIPAA-protected, or legally privileged information face an impossible choice:\n\n- **Cloud AI tools** send sensitive data to external servers — unacceptable for classified or privileged information\n- **Offline tools** lack AI capabilities — forcing manual categorization and extraction\n- **Existing secure apps** (encrypted Notion, Signal notes) don't understand domain context and can't extract structured intelligence\n\n**No existing tool combines AI-powered extraction with zero-network operation.** ShadowNotes is the first.\n\n## Why ShadowNotes Is Different\n\n| | Cloud AI (ChatGPT, Otter.ai) | Encrypted Notes (Standard Notes) | ShadowNotes |\n|---|---|---|---|\n| AI extraction | Yes (cloud) | No | **Yes (on-device)** |\n| Works offline | No | Yes | **Yes** |\n| Zero data transmission | No | Partial | **100%** |\n| Domain-aware extraction | No | No | **4 specialized domains** |\n| Streaming AI feedback | Yes (cloud) | N/A | **Yes (local WASM)** |\n| Ephemeral mode | No | No | **Built-in** |\n\n## RunAnywhere SDK Integration\n\nShadowNotes deeply integrates all three RunAnywhere SDK packages — **20+ load-bearing features** powering LLM streaming, audio intelligence, voice agents, and model lifecycle management.\n\n| SDK Feature | Package | How It's Used |\n|-------------|---------|---------------|\n| **`TextGeneration.generateStream()`** | `web-llamacpp` | Core extraction engine. Gemma 3 1B Instruct streams tokens one-by-one with real-time cursor animation. Domain-specific system prompts guide extraction and correct speech errors. |\n| **`StructuredOutput.extractJson()`** | `web-llamacpp` | JSON schema-guided validation fallback for reliable parsing when LLM returns structured data. |\n| **`ToolCalling.generateWithTools()`** | `web-llamacpp` | Available SDK feature for structured tool-call extraction. Not used in the active extraction pipeline. |\n| **`Embeddings` + `findSimilar()`** | `web-llamacpp` | Semantic deduplication, RAG context retrieval (`buildRAGContext`), and GlobalSearch reranking via cosine similarity. |\n| **`VoicePipeline` + `VoiceAgent`** | `web` | Hands-free agent mode: continuous listen → process → respond loop for field operatives. |\n| **`SDKLogger`** | `web` | Structured logging throughout SDK integration (replaces raw `console.*`). |\n| **`detectCapabilities()`** | `web` | Hardware detection (WebGPU, RAM, cores) for capability-aware performance presets. |\n| **`ModelManager` + `EventBus`** | `web` | Model lifecycle management with OPFS caching (~810MB) and real-time download progress events. |\n| **`RunAnywhere.initialize()`** | `web` | GPU detection with crash recovery. Probes WebGPU + shader-f16, falls back to CPU if WebGPU crashes. |\n| **`OPFSStorage`** | `web` | Origin Private File System cache for instant startup on return visits. |\n| **`STT` + `VAD` + `AudioCapture`** | `web-onnx` | On-device speech-to-text with voice activity detection and audio capture pipeline. |\n| **`TTS` + `AudioPlayback`** | `web-onnx` | Text-to-speech synthesis for agent mode spoken responses. |\n| **Advanced Sampling** | `web-llamacpp` | `topK: 40`, `topP: 0.9`, `temperature: 0.3`, `stopSequences` for factual extraction boundaries. |\n| **LlamaCPP + ONNX Frameworks** | `web-llamacpp`, `web-onnx` | Dual WASM backends — LlamaCPP for LLM inference, ONNX for audio models. |\n\n### Advanced LLM Configuration\n\n```typescript\n// Streaming generation with advanced sampling\nconst stream = await TextGeneration.generateStream(prompt, {\n  systemPrompt,            // Domain-specific extraction prompt with speech error correction\n  maxTokens: 150,          // Configurable via performance presets\n  temperature: 0.3,        // Low temperature for factual extraction\n  topP: 0.9,               // Nucleus sampling\n  topK: 40,                // Top-K sampling for diversity control\n  stopSequences: ['\\n\\n\\n', '---'],  // Early termination on extraction boundary\n});\n\n// Real-time token streaming to UI\nfor await (const token of stream.stream) {\n  updateStreamingDisplay(token);\n}\n```\n\n## Features\n\n### AI \u0026 Extraction\n- **Streaming AI Extraction** — Token-by-token LLM output with real-time UI feedback via `TextGeneration.generateStream()`\n- **Two-Layer Extraction** — Single LLM generation (StructuredOutput JSON + line-based parsing) → Keyword regex fallback\n- **VoiceAgent Hands-Free Mode** — `VoicePipeline` + `VoiceAgent` orchestrate a continuous listen-process-respond loop without manual button presses\n- **RAG Context Injection** — `buildRAGContext()` uses embeddings to semantically retrieve relevant prior findings and inject them into the LLM prompt\n- **Semantic Search Reranking** — GlobalSearch uses `findSimilar()` from the embeddings engine to rerank results by semantic relevance\n- **Semantic Deduplication** — Cosine-similarity based dedup prevents near-duplicate intelligence items\n- **4 Domain Profiles** — Security Audit, Legal Deposition, Medical Notes, Incident Report — each with tailored system prompts and speech error correction\n- **Capability-Aware Presets** — Auto-detects device hardware (WebGPU, RAM, cores) and adapts AI performance settings\n\n### Security \u0026 Privacy\n- **Encrypted Vault** — AES-256-GCM with per-case HKDF-derived keys for compartmentalized storage\n- **WebAuthn/Biometric Auth** — Windows Hello / Touch ID with PRF for key material derivation\n- **Brute-Force Protection** — Exponential backoff (5s/15s/30s/60s) after 3 failed unlock attempts\n- **Schema Validation** — Decrypted content validated against expected structure before use\n- **Security Headers** — HSTS, CSP with WASM support, Referrer-Policy, Permissions-Policy\n- **DESTROY Mode** — Cinematic burn animation + complete state wipe with zero-trace guarantee\n\n### User Experience\n- **Onboarding Tutorial** — 3-step first-run walkthrough with keyboard navigation and ARIA accessibility\n- **Error Recovery** — React error boundary catches crashes and provides a one-click recovery UI\n- **Loading Skeletons** — Shimmer animation states during boot sequence\n- **Voice Commands** — \"Hey Shadow, delete case...\" with fuzzy matching\n- **Editable Intelligence** — Click any AI-extracted finding to correct inline\n- **Cross-Session Context** — Prior findings auto-injected into LLM context for deduplication\n- **Encrypted Export/Import** — `.shadow` files with independent passphrase encryption\n- **Global Search** — Decryption-at-query across all cases with semantic reranking\n- **Auto-Save Drafts** — Debounced persistence during active capture\n- **Session Dossier** — Complete summary view with grouped intelligence findings\n- **Classified Dossier UI** — Authentic declassified-document aesthetic with stamps, CRT effects, and monospace typography\n- **WCAG 2.2 Accessible** — 172+ ARIA attributes, keyboard-navigable, screen-reader-friendly, reduced-motion support\n\n## Tech Stack\n\n| Component | Technology |\n|-----------|-----------|\n| Framework | React 19 + TypeScript 5.9 (strict mode) |\n| Build Tool | Vite 7 + ESLint 10 |\n| AI SDK | RunAnywhere Web SDK — `web`, `web-llamacpp`, `web-onnx` (3 packages, 20+ features) |\n| LLM Models | 3-tier selection: Gemma 3 1B, Qwen2.5 0.5B, SmolLM2 135M — all via llama.cpp WASM |\n| STT | Whisper Tiny English (on-device ONNX) + Web Speech API (browser fallback) |\n| VAD | Silero VAD (on-device ONNX, ~2.3 MB) — real voice activity detection |\n| TTS | Piper (Lessac Medium, on-device ONNX) — spoken feedback after extraction |\n| Embeddings | On-device via LlamaCPP — semantic dedup, RAG context, search reranking |\n| Encryption | AES-256-GCM + HKDF + PBKDF2 (600K iterations) via WebCrypto API |\n| Auth | WebAuthn with PRF extension (Windows Hello / Touch ID / Face ID) |\n| PDF Export | jsPDF 4.2 — domain-specific professional reports (Sanjeevani, Kavach, Nyaaya, Prahari) |\n| Desktop | Electron 35 + electron-builder — cross-platform desktop with GPU acceleration |\n| Styling | Custom CSS — JetBrains Mono + Special Elite fonts, classified dossier aesthetic |\n| PWA | vite-plugin-pwa + Workbox — full offline support, installable |\n| Testing | Vitest 4 + Testing Library — 231 tests across 18 files |\n\n## Getting Started\n\n### Prerequisites\n\n- Node.js 18+\n- A modern browser (Chrome 96+, Edge 96+ recommended)\n\n### Installation\n\n```bash\ngit clone https://github.com/divyamohan1993/shadownotes.git\ncd shadownotes\nnpm install\n```\n\n### Development\n\n```bash\nnpm run dev\n```\n\nOpen http://localhost:5173 in Chrome or Edge.\n\n### Production Build\n\n```bash\nnpm run build\nnpm run preview\n```\n\n## How It Works\n\n### Data Flow\n\n```\nMicrophone -\u003e AudioCapture/VAD -\u003e STT (on-device) -\u003e RunAnywhere LLM (single generation + StructuredOutput parsing)\n                                                   -\u003e Keyword fallback (instant, if LLM loading)\n                                                   -\u003e Embeddings (RAG context + dedup)\n```\n\n1. **Boot** — SDK initializes (GPU detection, crash recovery, capability detection), auto-selects performance preset\n2. **Onboard** — First-time users see a 3-step walkthrough; returning users skip to auth\n3. **Authenticate** — WebAuthn biometric or passphrase unlock (brute-force protected) derives encryption keys\n4. **Session Init** — Select domain profile. LLM begins downloading in background with progress tracking\n5. **Voice Capture** — Three modes: MIC (push-to-talk), TEXT (manual input), AGENT (hands-free VoiceAgent loop)\n6. **Two-Layer Extraction** — Single LLM generation (with StructuredOutput JSON + line-based parsing) → Keyword regex fallback, with RAG context from prior findings\n7. **Session Dossier** — Complete summary view with grouped findings, copy/edit/delete per item\n8. **Vault** — Sessions encrypted with AES-256-GCM (per-case HKDF keys) and stored in IndexedDB\n\n### Domain Profiles\n\n| Domain | Extraction Categories | Speech Correction Examples |\n|--------|----------------------|--------------------------|\n| Security Audit | Vulnerabilities, Timeline, Evidence, Affected Systems, Risk Assessment | \"sequel injection\" → SQL injection, \"cross site\" → XSS |\n| Legal Deposition | Key Statements, Timeline, Parties Involved, Contradictions, Exhibits | \"hay BS corpus\" → habeas corpus |\n| Medical Notes | Symptoms, Diagnoses, Medications, Vital Signs, Follow-up Actions | \"Tell me Satin\" → Telmisartan, \"parse atomol\" → Paracetamol |\n| Incident Report | Incident Timeline, Witnesses, Damage Assessment, Root Cause, Next Steps | Domain-aware context extraction |\n\n## Architecture\n\n```\nsrc/\n  App.tsx                    # App shell, boot sequence, error boundary, skeleton loading\n  runanywhere.ts             # RunAnywhere SDK init — 3 packages, 20+ features, VoiceAgent factory\n  extraction.ts              # Keyword-based intelligence extraction (regex fallback)\n  crypto.ts                  # AES-256-GCM + HKDF + PBKDF2 encryption + schema validation\n  perfConfig.tsx             # Capability-aware performance presets (auto-detect + manual)\n  auth.ts                    # WebAuthn with PRF extension\n  vault.ts                   # Encrypted IndexedDB storage layer\n  VaultContext.tsx            # React Context for vault state management\n  types.ts                   # TypeScript interfaces\n  domains.ts                 # Domain profiles with system prompts + speech corrections\n  hooks/\n    useModelLoader.ts        # Model download + loading lifecycle hook\n    useAutoSave.ts           # Debounced auto-save with draft management\n    useEmbeddings.ts         # Semantic dedup, findSimilar, buildRAGContext\n    useAudioPipeline.ts      # AudioCapture → VAD → STT pipeline\n    useTTS.ts                # Text-to-speech via TTS + AudioPlayback\n  components/\n    SessionInit.tsx          # Domain selection + onboarding tutorial + LLM preload\n    ActiveCapture.tsx        # 3-mode capture (MIC/TEXT/AGENT) + RAG context\n    SessionSummary.tsx       # Dossier view with edit/delete/copy\n    VaultUnlock.tsx          # WebAuthn + passphrase auth + brute-force protection\n    CaseList.tsx             # Case management with search\n    CaseDetail.tsx           # Session history per case\n    GlobalSearch.tsx         # Cross-case decryption search + semantic reranking\n    ExportModal.tsx          # Encrypted .shadow file export/import\n  styles/\n    index.css                # Classified Dossier theme + onboarding + skeletons + a11y\n```\n\n## Privacy \u0026 Security\n\n- **On-device AI** — Intelligence extraction via RunAnywhere LLM (llama.cpp WASM) — zero network requests\n- **End-to-end encryption** — AES-256-GCM with per-case HKDF-derived keys (PBKDF2, 600K iterations)\n- **Biometric authentication** — WebAuthn with PRF extension for key material derivation\n- **Brute-force protection** — Exponential backoff lockout (5s/15s/30s/60s) after 3 failed passphrase attempts\n- **Schema validation** — Decrypted content validated against expected structure before use\n- **Security headers** — Content-Security-Policy (with `wasm-unsafe-eval`), HSTS, Referrer-Policy, Permissions-Policy, X-Frame-Options, X-Content-Type-Options\n- **No cookies, localStorage** used for sensitive data — vault uses encrypted IndexedDB\n- **Tab close = total wipe** for ephemeral sessions (vault sessions encrypted at rest)\n- **Models cached in OPFS** — Browser's private filesystem, isolated per origin\n- **GPU crash recovery** — Automatic CPU fallback if WebGPU crashes (crash flag in sessionStorage)\n\n## Deployment\n\n```bash\nnpx vercel    # Deploy to Vercel (configured with COOP/COEP headers)\n```\n\nRequired headers for any static host:\n```\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Embedder-Policy: credentialless\n```\n\n## Testing\n\n```bash\nnpx vitest run      # Run all 231 tests\nnpm run test:watch  # Watch mode\n```\n\nTest coverage across the pyramid:\n- **Unit tests** — Extraction, crypto, auth, vault, domains, voice commands\n- **Component tests** — All 9 components with Testing Library\n- **Integration tests** — Full session lifecycle for all 4 domains\n\n## License\n\nMIT\n\n---\n\nBuilt with the spirit of **Atmanirbhar Bharat** for the [RunAnywhere Vibe Challenge](https://vibechallenge.runanywhere.org/) Hackathon, facilitated by **ThoughtWorks Technologies** and **GGSIPU, Delhi**, by [Divya Mohan](https://github.com/divyamohan1993) \u0026 Kumkum Thakur (Shoolini University). **#India2047**\n\n*ShadowNotes: Because some notes should never exist anywhere but your memory — and some technology should never depend on anyone but your own device.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivyamohan1993%2Fshadownotes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdivyamohan1993%2Fshadownotes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivyamohan1993%2Fshadownotes/lists"}