{"id":29193162,"url":"https://github.com/ironcorelabs/saas-shield-demo-notes-app","last_synced_at":"2026-07-02T04:31:00.339Z","repository":{"id":281228654,"uuid":"862545920","full_name":"IronCoreLabs/saas-shield-demo-notes-app","owner":"IronCoreLabs","description":"Demo app for SaaS Shield and friends","archived":false,"fork":false,"pushed_at":"2026-02-05T20:15:02.000Z","size":862,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-06T05:55:48.404Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IronCoreLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-09-24T19:27:14.000Z","updated_at":"2026-02-05T20:15:05.000Z","dependencies_parsed_at":"2026-04-26T22:01:04.994Z","dependency_job_id":null,"html_url":"https://github.com/IronCoreLabs/saas-shield-demo-notes-app","commit_stats":null,"previous_names":["ironcorelabs/saas-shield-demo-notes-app"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/IronCoreLabs/saas-shield-demo-notes-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IronCoreLabs%2Fsaas-shield-demo-notes-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IronCoreLabs%2Fsaas-shield-demo-notes-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IronCoreLabs%2Fsaas-shield-demo-notes-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IronCoreLabs%2Fsaas-shield-demo-notes-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IronCoreLabs","download_url":"https://codeload.github.com/IronCoreLabs/saas-shield-demo-notes-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IronCoreLabs%2Fsaas-shield-demo-notes-app/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35033488,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-02T02:00:06.368Z","response_time":173,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-02T02:07:45.394Z","updated_at":"2026-07-02T04:31:00.305Z","avatar_url":"https://github.com/IronCoreLabs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SaaS Shield Demo Notes App\n\nThis repo contains a sample application that demonstrates the capabilities of IronCore Labs' SaaS Shield suite of products\nfor implementing application-layer encryption (ALE) in your apps.\n\nThe sample is designed to be mostly self-contained; it starts up several Docker containers running services locally on your\nmachine. It does rely on two IronCore Labs hosted services, the Configuration Broker and the Identity Service, to provide the\nvendor and tenant configuration, including the KMS configurations that will be used to protect the data.\n\nThis sample app is a very simplified note-taking application. It stores a title and free-form text content for each note,\nand it allows the user to specify a category for each note. Notes can also have attachments (stored in Amazon S3). The app\nallows text search of notes (using Elasticsearch), and it supports contextual search using a Retrieval-Augmented Generation (RAG)\nworkflow.\n\nThe sample app shows how to use SaaS Shield's IronCore Alloy SDK to encrypt data in fields that you persist from\nyour app (we use a simple SQLite database for the demo), with both standard and deterministic encryption. The category values\nusers enter are encrypted in the app using deterministic encryption to demonstrate how you can encrypt fields but still do\nexact match searches for desired values.\n\nAny note attachments are stored in Amazon S3 using our S3 proxy - each attachment is stored encrypted in S3. You can see how\nthe sample app uses the standard S3 client library, relying on the S3 proxy to transparently handle encryption and decryption\nof attachments using tenant-specific keys to protect the data.\n\nThe app also demonstrates our Cloaked Search proxy; the demo starts an Elasticsearch instance and adds each note's title and\ntext to an Elasticsearch index that is encrypted so you can't extract the note contents from the index. This index is used when\nyou perform a text search on the notes. Like the attachments, the entries in the Elasticsearch index are protected by\nper-tenant keys, so you can't accidentally return entries for the wrong tenant if you don't properly filter your query.\n\nFinally, the app demonstrates our Cloaked AI capabilities; it uses an `ollama` model to generate embeddings from notes and\nindexes the embedding vectors in Elasticsearch. When you use the contextual search button in the lower left of the app, it\ngenerates an embedding from your question and does nearest neighbor search to find matching notes. The Cloaked AI functionality\nprevents someone who gains access to the vectors in Elasticsearch from running an embedding inversion attack and recovering\nsensitive data from the vectors.\n\n## Pre-created environment\n\nTo run the demo app, you need to configure the TSP and S3 Proxy with credentials.\nThe easiest way to get started is by using our sandbox environment. This allows you to start-up the demo without needing to set up\nyour own vendor, tenants, or S3 bucket. You can obtain the credentials to configure the TSP and the S3 proxy by submitting a request on our\n[website](https://ironcorelabs.com/contact-us/open-source-demo-credentials/).\n\n## Supplying your own credentials\n\nIf you want to test the demo app in an environment more tailored to your use case, you can supply your own TSP and S3 Proxy configurations.\n\nFollow the directions in the [infra](./infra/README.md#configuration-files) and [server](./server/README.md#configuration-file) READMEs to\nset the required configuration files.\n\n## Required software\n\nThe demo consists of three parts in three separate folders, each requiring their own set of software: [infra](./infra/README.md#required-software), [server](./server/README.md#required-software), and [client](./client/README.md#required-software).\n\n**To simplify these requirements, we've provided a [Nix flake](https://wiki.nixos.org/wiki/Flakes) in each of these folders.**\n\n## Getting everything running\n\nIn the `infra` directory, you will find an additional `README.md` that details how to get all the services up and running\nin your local Docker. Once you have things running, you can go to the `server` directory and follow the instructions in that `README.md` to get\nthe server side of the demo running; it is a Rust application that will be built and started. Finally, go to the `client`\ndirectory and follow the directions in that `README.md` to start serving the client app. When it is running, you can\ngo to `http://localhost:9002` in your browser to access the app.\n\nIf you want to check things out behind the scenes once you have entered some notes in the app, you can access the SQLite\ndatabase directly; it is stored in `server/sqlite.db`. Likewise, you can access the Elasticsearch index directly and do\nqueries to see how we protect the sensitive data in the index. Attachments are stored in the configured S3 bucket, and you have\ncredentials that will allow you to list the bucket. However, because we use S3's Server-Side Encryption with\nCustomer-provided keys (SSE-C) feature, you cannot retrieve any of the objects without using the S3 proxy to determine\nand unwrap the key for each object.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fironcorelabs%2Fsaas-shield-demo-notes-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fironcorelabs%2Fsaas-shield-demo-notes-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fironcorelabs%2Fsaas-shield-demo-notes-app/lists"}