Overview

Relevant source files

• .env.example
• README.md
• bin/machine-translate.js
• package.json
• pnpm-lock.yaml
• src/lib/data/docs/api.md
• src/lib/data/enums.ts
• src/lib/server/db/schema.ts
• src/lib/server/secrets.ts
• src/lib/validators/formSchemas.ts
• src/routes/api/v1/secrets/+server.ts

This document provides a high-level introduction to the scrt-link-v2 codebase, a zero-knowledge secret sharing platform. It covers the system's core architecture, technology stack, key components, and design principles.

Scope: This overview focuses on architectural patterns, technology choices, and the relationships between major system components.

---

Purpose and Value Proposition

scrt-link-v2 is a web application that enables secure, ephemeral secret sharing through client-side encryption. The platform implements a zero-knowledge architecture where secrets are encrypted in the user's browser before transmission, ensuring the server never has access to plaintext data. Secrets are designed for one-time viewing and automatic destruction after retrieval or expiration.

The system supports multiple use cases:

• Individual users sharing confidential text, files, or redirect URLs.
• Organizations managing team-based secret sharing.
• Businesses deploying white-labeled instances on custom domains.
• Developers integrating programmatic secret creation via a REST API.

Sources: README.md1-6 src/lib/data/docs/api.md1-11

---

Core Architecture

The application follows a layered architecture built on SvelteKit, with clear separation between frontend rendering, application logic, data persistence, and external services.

System Component Diagram

Sources: package.json1-107 src/lib/server/db/schema.ts1-213 src/routes/api/v1/secrets/+server.ts35-106

---

Technology Stack

Layer	Technology	Purpose
Frontend Framework	Svelte 5 + SvelteKit	Component-based UI and routing package.json43-65
Styling	Tailwind CSS 4	Utility-first styling package.json73-87
Internationalization	Paraglide.js	Compile-time i18n package.json36-75
Client Encryption	@scrt-link/core	Browser-side AES-GCM package.json84
Database	PostgreSQL	Persistent storage package.json97
ORM	Drizzle ORM	Type-safe SQL builder package.json92-93
Authentication	Lucia (implied)	Session management README.md94-97
OAuth	Arctic	Google OAuth integration package.json89
Form Handling	Superforms + Zod	Validation and state package.json70-78
Payments	Stripe	Subscription billing package.json85-102
Email	Resend	Transactional delivery package.json100
File Storage	AWS S3 SDK	Encrypted blob storage package.json81-83

Sources: package.json32-107 README.md94-130

---

Key Architectural Principles

1. Zero-Knowledge Security

All secret encryption occurs client-side using the @scrt-link/core package. The server stores only encrypted content and a hash of the ID (secretIdHash). The decryption key is passed via the URL fragment (#), which is never sent to the server.

2. Multi-Tenancy Isolation

The system supports three levels of tenancy:

• Platform level: The main scrt.link domain.
• Organization level: Managed via the organization and membership tables src/lib/server/db/schema.ts103-128
• White-label level: Custom domains configured in the whiteLabelSite table src/lib/server/db/schema.ts157-180

Secrets are associated with a whiteLabelSiteId to ensure strict isolation between tenants src/lib/server/db/schema.ts210-212

3. API-First Client Module

Programmatic access is handled via a dedicated client module. Because the server cannot encrypt data (zero-knowledge), the API requires pre-encrypted payloads validated by a checksum src/routes/api/v1/secrets/+server.ts67-73

---

Code Entity Mapping

The following diagram maps high-level system operations to specific code entities within the project.

Sources: src/lib/validators/formSchemas.ts48-77 src/lib/server/secrets.ts16-41 src/routes/api/v1/secrets/+server.ts35-58

---

Secret Types and Features

The platform supports multiple secret types defined in the SecretType enum src/lib/server/db/schema.ts95-101:

Secret Type	Code Identifier	Description
Text	SecretType.TEXT	Standard encrypted text message.
File	SecretType.FILE	Encrypted file upload stored in S3.
Redirect	SecretType.REDIRECT	A URL that redirects the user upon decryption.
Snap	SecretType.SNAP	A "self-destructing" image/screenshot.
Neogram	SecretType.NEOGRAM	A structured, letter-style encrypted message.

Sources: src/lib/server/db/schema.ts95-101 src/lib/data/enums.ts1-3

---

Database Schema Overview

The database uses PostgreSQL with Drizzle ORM for type-safe queries. Key tables include:

Table	Purpose	Source
user	Stores account info, subscription tiers, and role.	src/lib/server/db/schema.ts34-51
secret	Stores encrypted content, metadata, and expiration.	src/lib/server/db/schema.ts197-213
organization	Groups users for team-based secret management.	src/lib/server/db/schema.ts103-107
white_label_site	Configuration for custom domains and branding.	src/lib/server/db/schema.ts157-180
api_key	Bearer tokens for programmatic access.	src/lib/server/db/schema.ts215-225

---

Development Workflow

Local Setup:

1. Dependencies: pnpm install README.md12
2. Database: pnpm run db:start (via Docker) README.md15
3. Migrations: pnpm run db:push to sync schema README.md34
4. Dev Server: pnpm run dev README.md18

Cron Jobs: The system uses Vercel Cron for automated cleanup of expired secrets. This can be triggered locally via POST /api/v1/cron README.md52-62

Sources: README.md7-62 package.json6-27