An end-to-end encrypted task manager. All task content is encrypted in the browser before reaching the server — the server never sees your plaintext data.

• End-to-end encryption — Task titles, descriptions, project names, labels, comments, and attachments are encrypted client-side with XChaCha20-Poly1305
• Zero-knowledge server — The server stores only ciphertext; it cannot read your tasks
• Projects & sections — Organize tasks into projects with collapsible sections
• List & board views — Switch between list and kanban board layouts
• Labels & filters — Tag tasks with colored labels and create custom saved filters
• Smart date parsing — Type natural language dates like "tomorrow" or "next friday" when creating tasks
• Recurring tasks — Set up tasks that repeat on a schedule
• Drag & drop — Reorder tasks and move them between sections
• Subtasks — Break tasks into smaller steps
• Collaboration — Share projects with other users via X25519 key exchange
• Search — Client-side fuzzy search across all decrypted tasks
• Keyboard shortcuts — Quick actions without leaving the keyboard
• Dark mode — Automatic theme based on system preference
• Admin dashboard — User management, registration toggle, invitations, configurable rate limits, stats
• Recovery key — 24-word passphrase to recover your account if you forget your password
• Docker support — Single docker compose up to run everything

• Framework: Next.js 16 (App Router)
• UI: React 19, Tailwind CSS 4
• Database: PostgreSQL, Prisma 7
• Auth: NextAuth v5 (credentials + JWT)
• State: Zustand 5
• Crypto: libsodium.js (Argon2id, XChaCha20-Poly1305, X25519)
• Drag & Drop: @dnd-kit/react
• Dates: chrono-node, date-fns, rrule

Password (never stored)
  → Argon2id → Wrapping Key
    → encrypts Master Key (random 256-bit)
      → encrypts personal data (tasks, projects, labels)
      → encrypts X25519 private key

X25519 Keypair (for collaboration):
  - Public key: stored plaintext
  - Private key: encrypted with master key
  - Shared project keys exchanged via X25519 key agreement

Fields like priority, dueDate, isCompleted, and sortOrder are intentionally stored in plaintext so the server can serve filtered views (Today, Upcoming) without decrypting all tasks.

• Node.js 22+
• PostgreSQL 17+ (or use Docker)

# Clone the repository
git clone https://github.com/andresousadotpt/todo.git
cd todo

# Install dependencies
npm install

# Copy environment variables
cp .env.example .env

# Generate required secrets
openssl rand -base64 32  # → AUTH_SECRET
openssl rand -hex 32     # → ENCRYPTION_KEY
# Edit .env with your values

# Generate Prisma client and run migrations
npx prisma generate
npx prisma migrate dev

# Seed the database
npm run db:seed

# Start the dev server
npm run dev

The app will be available at http://localhost:3000.

cp .env.example .env
# Edit .env with your secrets (AUTH_SECRET, ENCRYPTION_KEY, POSTGRES_PASSWORD)

docker compose up -d

This starts PostgreSQL and the app. Migrations run automatically on startup.

After registering your first user, promote them to admin:

UPDATE "User" SET role = 'admin' WHERE id = '<user-id>';

To send email reminders for due tasks, schedule a POST request to:

/api/cron/due-date-notifications

Required header:

Authorization: Bearer <CRON_SECRET>

Run this endpoint on an interval (for example every 5 minutes). Keep the interval smaller than DUE_DATE_NOTIFICATION_WINDOW_MINUTES.

MIT