Merge pull request #37 from xskcdf/development

Fix SQLITE_READONLY(8): move WAL/synchronous PRAGMAs out of intercept…

Author: xnodeoncode

1-Aquiis.Infrastructure/Data/SqlCipherConnectionInterceptor.cs

@@ -35,11 +35,19 @@ public override void ConnectionOpened(DbConnection connection, ConnectionEndEven
                 // Pre-derived raw key — SQLCipher loads it directly, no PBKDF2 (~0 ms)
                 cmd.CommandText = $"PRAGMA key = \"{_encryptionKey}\";";
                 cmd.ExecuteNonQuery();
+
+                // Raw key still needs cipher params to match how the DB was encrypted
+                cmd.CommandText = "PRAGMA cipher_page_size = 4096;";
+                cmd.ExecuteNonQuery();
+                cmd.CommandText = "PRAGMA cipher_hmac_algorithm = HMAC_SHA512;";
+                cmd.ExecuteNonQuery();
+                cmd.CommandText = "PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA512;";
+                cmd.ExecuteNonQuery();
             }
             else
             {
                 // Passphrase fallback — SQLCipher runs PBKDF2(256000) internally (~20–50 ms)
-                cmd.CommandText = $"PRAGMA key = '{_encryptionKey}';";
+                cmd.CommandText = $"PRAGMA key = '{_encryptionKey}';"; 
                 cmd.ExecuteNonQuery();
 
                 cmd.CommandText = "PRAGMA cipher_page_size = 4096;";
@@ -53,16 +61,6 @@ public override void ConnectionOpened(DbConnection connection, ConnectionEndEven
             }
         }
 
-        // WAL mode is persistent in the database file — no-op if already set, upgrades fresh DBs.
-        // NORMAL synchronous is safe with WAL and reduces flush overhead on every commit.
-        using (var cmd = connection.CreateCommand())
-        {
-            cmd.CommandText = "PRAGMA journal_mode = WAL;";
-            cmd.ExecuteNonQuery();
-            cmd.CommandText = "PRAGMA synchronous = NORMAL;";
-            cmd.ExecuteNonQuery();
-        }
-
         base.ConnectionOpened(connection, eventData);
     }
 
@@ -77,6 +75,14 @@ public override async Task ConnectionOpenedAsync(DbConnection connection, Connec
                 // Pre-derived raw key — SQLCipher loads it directly, no PBKDF2 (~0 ms)
                 cmd.CommandText = $"PRAGMA key = \"{_encryptionKey}\";";
                 await cmd.ExecuteNonQueryAsync(cancellationToken);
+
+                // Raw key still needs cipher params to match how the DB was encrypted
+                cmd.CommandText = "PRAGMA cipher_page_size = 4096;";
+                await cmd.ExecuteNonQueryAsync(cancellationToken);
+                cmd.CommandText = "PRAGMA cipher_hmac_algorithm = HMAC_SHA512;";
+                await cmd.ExecuteNonQueryAsync(cancellationToken);
+                cmd.CommandText = "PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA512;";
+                await cmd.ExecuteNonQueryAsync(cancellationToken);
             }
             else
             {
@@ -95,16 +101,6 @@ public override async Task ConnectionOpenedAsync(DbConnection connection, Connec
             }
         }
 
-        // WAL mode is persistent in the database file — no-op if already set, upgrades fresh DBs.
-        // NORMAL synchronous is safe with WAL and reduces flush overhead on every commit.
-        using (var cmd = connection.CreateCommand())
-        {
-            cmd.CommandText = "PRAGMA journal_mode = WAL;";
-            await cmd.ExecuteNonQueryAsync(cancellationToken);
-            cmd.CommandText = "PRAGMA synchronous = NORMAL;";
-            await cmd.ExecuteNonQueryAsync(cancellationToken);
-        }
-
         await base.ConnectionOpenedAsync(connection, eventData, cancellationToken);
     }
 }

2-Aquiis.Application/Services/DatabaseService.cs

@@ -77,12 +77,14 @@ public async Task<bool> CanConnectAsync()
     public async Task<int> GetPendingMigrationsCountAsync()
     {
         var pending = await _businessContext.Database.GetPendingMigrationsAsync();
+        _logger.LogInformation($"Business context has {pending.Count()} pending migrations.");
         return pending.Count();
     }
 
     public async Task<int> GetIdentityPendingMigrationsCountAsync()
     {
         var pending = await _identityContext.Database.GetPendingMigrationsAsync();
+        _logger.LogInformation($"Identity context has {pending.Count()} pending migrations.");
         return pending.Count();
     }
 

4-Aquiis.SimpleStart/Aquiis.SimpleStart.csproj

@@ -53,7 +53,8 @@
     </PackageReference>
     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.1" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
-    <PackageReference Include="SQLitePCLRaw.bundle_e_sqlite3" Version="2.1.11" />
+    <!-- <PackageReference Include="SQLitePCLRaw.bundle_e_sqlite3" Version="2.1.11" /> -->
+    <PackageReference Include="SQLitePCLRaw.bundle_e_sqlcipher" Version="2.1.11" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.1" />
     <PackageReference Include="QuestPDF" Version="2025.12.1" />
     <PackageReference Include="Twilio" Version="7.14.0" />

4-Aquiis.SimpleStart/Extensions/WebServiceExtensions.cs

@@ -59,10 +59,13 @@ public static IServiceCollection AddWebServices(
         {
             NeedsUnlock = encryptionPassword == null && IsDatabaseEncrypted(connectionString),
             DatabasePath = ExtractDatabasePath(connectionString),
+            
             ConnectionString = connectionString
         };
         services.AddSingleton(unlockState);
 
+        Console.WriteLine($"Database unlock state: NeedsUnlock={unlockState.NeedsUnlock}, DatabasePath={unlockState.DatabasePath}");
+
         // Register encryption status as singleton for use during startup
         services.AddSingleton(new EncryptionDetectionResult
         {
@@ -85,6 +88,24 @@ public static IServiceCollection AddWebServices(
 
             // Clear connection pools to ensure no connections bypass the interceptor
             SqliteConnection.ClearAllPools();
+
+            // Set WAL mode and synchronous=NORMAL once on a writable connection.
+            // These are persistent database settings — no need to repeat on every connection open.
+            // This MUST happen here (not in the interceptor) because EF Core also opens read-only
+            // connections (e.g. SqliteDatabaseCreator.Exists()), and PRAGMA journal_mode = WAL
+            // returns SQLITE_READONLY (8) on a read-only connection.
+            using var setupConn = new SqliteConnection(connectionString);
+            setupConn.Open();
+            using var setupCmd = setupConn.CreateCommand();
+            setupCmd.CommandText = $"PRAGMA key = \"{encryptionPassword}\";";
+            setupCmd.ExecuteNonQuery();
+            setupCmd.CommandText = "PRAGMA journal_mode = WAL;";
+            setupCmd.ExecuteNonQuery();
+            setupCmd.CommandText = "PRAGMA synchronous = NORMAL;";
+            setupCmd.ExecuteNonQuery();
+            setupConn.Close();
+
+            SqliteConnection.ClearAllPools();
         }
 
         // ✅ Register Application layer (includes Infrastructure internally) with encryption interceptor