starred/karakeep
1
0
Fork 0
mirror of https://github.com/karakeep-app/karakeep.git synced 2026-04-26 00:16:03 +03:00
Code Issues 569 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1413] Allow secrets to be stored in files locally instead of plaintext #895

New issue
Open
opened 2026-03-02 11:53:34 +03:00 by kerem · 8 comments
kerem commented 2026-03-02 11:53:34 +03:00
Owner
Copy link

Originally created by @debsidian on GitHub (May 15, 2025).
Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/1413

Describe the feature you'd like

While creating a docker-compose for Karakeep there are a couple of environmental variables that I'm uncomfortable leaving in plaintext.

  • OAUTH_CLIENT_SECRET
  • NEXTAUTH_SECRET
  • OPENAI_API_KEY
  • MEILI_MASTER_KEY

It would be nice if we could reference a local file for sensitive information such as this.

Describe the benefits this would bring to existing Karakeep users

Benefits are security and privacy of sensitive data.

Can the goal of this request already be achieved via other means?

Not to my knowledge.

Have you searched for an existing open/closed issue?

  • I have searched for existing issues and none cover my fundamental request

Additional context

No response

Originally created by @debsidian on GitHub (May 15, 2025). Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/1413 ### Describe the feature you'd like While creating a docker-compose for Karakeep there are a couple of environmental variables that I'm uncomfortable leaving in plaintext. - `OAUTH_CLIENT_SECRET` - `NEXTAUTH_SECRET` - `OPENAI_API_KEY` - `MEILI_MASTER_KEY` It would be nice if we could reference a local file for sensitive information such as this. ### Describe the benefits this would bring to existing Karakeep users Benefits are security and privacy of sensitive data. ### Can the goal of this request already be achieved via other means? Not to my knowledge. ### Have you searched for an existing open/closed issue? - [x] I have searched for existing issues and none cover my fundamental request ### Additional context _No response_
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@Eragos commented on GitHub (May 17, 2025):

I'm always a security focused guy. But I don't get your point :-/

If you follow the basic security rules (secure passwords, SSL encryption, separate networks, latest updates/security fixes, you name it...). You shouldn't have a problem. Security comes from the weakest point of the whole chain. And a plain text file in a secured context is IMHO not the problem.

Some things you can read:

I invite you to further discuss this topic in the discussion section...

jmy2ct

Best Michael

<!-- gh-comment-id:2888461354 --> @Eragos commented on GitHub (May 17, 2025): I'm always a security focused guy. But I don't get your point :-/ If you follow the basic security rules (secure passwords, SSL encryption, separate networks, latest updates/security fixes, you name it...). You shouldn't have a problem. Security comes from the weakest point of the whole chain. And a plain text file in a secured context is IMHO not the problem. Some things you can read: - https://openid.net/developers/how-connect-works/ - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety - https://www.meilisearch.com/docs/learn/security/basic_security I invite you to further discuss this topic in the discussion section... _jmy2ct_ Best Michael
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@debsidian commented on GitHub (May 17, 2025):

Maybe I'm miscommunicating here? I'm advocating for basic security practices. The ones that are baked into Docker's own documentation:

A secret is any piece of data, such as a password, certificate, or API key, that shouldn’t be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code.

Docker Compose provides a way for you to use secrets without having to use environment variables to store information. If you’re injecting passwords and API keys as environment variables, you risk unintentional information exposure. Services can only access secrets when explicitly granted by a secrets attribute within the services top-level element.

Environment variables are often available to all processes, and it can be difficult to track access. They can also be printed in logs when debugging errors without your knowledge. Using secrets mitigates these risks.

Source

No third party links necessary. Docker tells you what best practices are. I'm just asking that they be implemented here. It's okay if the answer is 'no', but I figured it couldn't hurt to ask.

Edit: Just to be clear, the ask is simply to mount/link to a file within the docker-compose instead of putting the api key as a plaintext environmental variable. I'm not advocating for password hashes or anything like that.

<!-- gh-comment-id:2888536916 --> @debsidian commented on GitHub (May 17, 2025): Maybe I'm miscommunicating here? I'm advocating for basic security practices. The ones that are baked into Docker's own documentation: > A secret is any piece of data, such as a password, certificate, or API key, that shouldn’t be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code. > > Docker Compose provides a way for you to use secrets without having to use environment variables to store information. If you’re injecting passwords and API keys as environment variables, you risk unintentional information exposure. Services can only access secrets when explicitly granted by a secrets attribute within the services top-level element. > > Environment variables are often available to all processes, and it can be difficult to track access. They can also be printed in logs when debugging errors without your knowledge. Using secrets mitigates these risks. > > [Source](https://docs.docker.com/compose/how-tos/use-secrets/) No third party links necessary. Docker tells you what best practices are. I'm just asking that they be implemented here. It's okay if the answer is 'no', but I figured it couldn't hurt to ask. Edit: Just to be clear, the ask is simply to mount/link to a file within the `docker-compose` instead of putting the api key as a plaintext environmental variable. I'm not advocating for password hashes or anything like that.
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@MohamedBassem commented on GitHub (May 17, 2025):

@debsidian I think this is a reasonable ask.

<!-- gh-comment-id:2888544415 --> @MohamedBassem commented on GitHub (May 17, 2025): @debsidian I think this is a reasonable ask.
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@Eragos commented on GitHub (May 17, 2025):

@debsidian Yes, I didn't know that. Interesting Link - thank you!

Best Michael

<!-- gh-comment-id:2888548748 --> @Eragos commented on GitHub (May 17, 2025): @debsidian Yes, I didn't know that. Interesting Link - thank you! Best Michael
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@thiswillbeyourgithub commented on GitHub (May 19, 2025):

What do we think about encryption here? The sqlite db does not seem to use any "encrypted at rest" feature (meaning the storage provider can read the data) nor any "per user encryption" (meaning the admin car read everyone's data). Is that something that might change in the future?

Looking a bit at the backend I see that karakeep seems to use drizzle-orm with better-sqlite3, and apparently drizzle can also use libsql which supports encrypted at rest features.

In an idea world, karakeep would not allow the admin to read other user's data, nor the storage provider. IIRC there are some pretty standard and robust ways to do that nowadays with minimal performance tradeoff on normal hardware, no?

I do understand that no matter the encryption of the db, the search engine (currently meilisearch) stores things related to full text search so there is probably some leakage here, and also stores embeddings which can actually be reversed back to text in some situation, but:
1 it would take significant effort to reverse the meilisearch, so blocking that would only be relevant for people that are bigger problems than their bookmarks leak
2. this effort means it should not be doable at scale and in an "indiscriminate nsa dragnet" scenario.
3. Using binary embeddings (#1315) would probably make reversal impossible

All in all, I am interested in the owner's take on encryption for karakeep. I am sure there are low-cost low-risk high-gain things to do, no?

If you want I can open an issue to track this request.

Edit:

Edit:
I guess another way to do encryption could simply be for the host root to mount an encrypted partition on which to store the db files. This could be a sort of valid solution to the storage provider I guess. Not to the curious karakeep administrator account though.

Edit:
I'll make a doc PR to mention encryption based on your answer @MohamedBassem

edit: decided to make the PR anyway: #1479

<!-- gh-comment-id:2890758833 --> @thiswillbeyourgithub commented on GitHub (May 19, 2025): What do we think about encryption here? The sqlite db does not seem to use any "encrypted at rest" feature (meaning the storage provider can read the data) nor any "per user encryption" (meaning the admin car read everyone's data). Is that something that might change in the future? Looking a bit at the backend I see that karakeep seems to use `drizzle-orm` with `better-sqlite3`, and apparently drizzle can [also use libsql which supports encrypted at rest features](https://orm.drizzle.team/docs/get-started-sqlite). In an idea world, karakeep would not allow the admin to read other user's data, nor the storage provider. IIRC there are some pretty standard and robust ways to do that nowadays with minimal performance tradeoff on normal hardware, no? I do understand that no matter the encryption of the db, the search engine (currently meilisearch) stores things related to full text search so there is probably some leakage here, and also stores embeddings which can [actually be reversed back to text in some situation](https://simonwillison.net/2024/Jan/8/text-embeddings-reveal-almost-as-much-as-text/), but: 1 it would take significant effort to reverse the meilisearch, so blocking that would only be relevant for people that are bigger problems than their bookmarks leak 2. this effort means it should not be doable at scale and in an "indiscriminate nsa dragnet" scenario. 3. Using binary embeddings (#1315) would probably make reversal impossible All in all, I am interested in the owner's take on encryption for karakeep. I am sure there are low-cost low-risk high-gain things to do, no? If you want I can open an issue to track this request. Edit: - Meilisearch uses LMDB and mentionned in 2022 being interested in upgrading to the LMDB3 that supports encryption apparently: https://github.com/meilisearch/meilisearch/issues/2570 - Related discusion on meilisearch: https://github.com/meilisearch/meilisearch/issues/5036 Edit: I guess another way to do encryption could simply be for the host root to mount an encrypted partition on which to store the db files. This could be a sort of valid solution to the storage provider I guess. Not to the curious karakeep administrator account though. Edit: I'll make a doc PR to mention encryption based on your answer @MohamedBassem edit: decided to make the PR anyway: #1479
kerem commented 2026-03-02 11:53:35 +03:00
Author
Owner
Copy link

@Eragos commented on GitHub (May 27, 2025):

Discussion: Feature request: E2E-Encryption or at least server-database encryption has a similar topic.

<!-- gh-comment-id:2912972100 --> @Eragos commented on GitHub (May 27, 2025): Discussion: [Feature request: E2E-Encryption or at least server-database encryption](https://github.com/karakeep-app/karakeep/discussions/1070) has a similar topic.
kerem commented 2026-03-02 11:53:36 +03:00
Author
Owner
Copy link

@kennethso168 commented on GitHub (Jan 30, 2026):

Just to add some insight. I currently worked around this by overriding the entrypoint of the docker images in my compose files

services:
  ...
  web:
    image: ghcr.io/karakeep-app/karakeep:0.30.0
    restart: unless-stopped
    ...
    secrets:
      - karakeep_oauth_client_secret
      - karakeep_meili_master_key
      - karakeep_nextauth_secret
    entrypoint: ['/bin/sh', '-c', 'export OAUTH_CLIENT_SECRET=$$(cat /run/secrets/karakeep_oauth_client_secret); export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); export NEXTAUTH_SECRET=$$(cat /run/secrets/karakeep_nextauth_secret); /init']

  meilisearch:
    image: getmeili/meilisearch:v1.13.3
    restart: unless-stopped
    ...
    secrets:
      - karakeep_meili_master_key
    entrypoint: ['/bin/sh', '-c']
    command: "'export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); tini -- /bin/meilisearch'"

But this should be considered as a "hack" and it would be great if the containers support secrets in file natively.

<!-- gh-comment-id:3824840618 --> @kennethso168 commented on GitHub (Jan 30, 2026): Just to add some insight. I currently worked around this by overriding the entrypoint of the docker images in my compose files ``` services: ... web: image: ghcr.io/karakeep-app/karakeep:0.30.0 restart: unless-stopped ... secrets: - karakeep_oauth_client_secret - karakeep_meili_master_key - karakeep_nextauth_secret entrypoint: ['/bin/sh', '-c', 'export OAUTH_CLIENT_SECRET=$$(cat /run/secrets/karakeep_oauth_client_secret); export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); export NEXTAUTH_SECRET=$$(cat /run/secrets/karakeep_nextauth_secret); /init'] meilisearch: image: getmeili/meilisearch:v1.13.3 restart: unless-stopped ... secrets: - karakeep_meili_master_key entrypoint: ['/bin/sh', '-c'] command: "'export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); tini -- /bin/meilisearch'" ``` But this should be considered as a "hack" and it would be great if the containers support secrets in file natively.
kerem commented 2026-03-02 11:53:36 +03:00
Author
Owner
Copy link

@kennethso168 commented on GitHub (Mar 1, 2026):

services:
  ...
  web:
    image: ghcr.io/karakeep-app/karakeep:0.30.0
    restart: unless-stopped
    ...
    secrets:
      - karakeep_oauth_client_secret
      - karakeep_meili_master_key
      - karakeep_nextauth_secret
    entrypoint: ['/bin/sh', '-c', 'export OAUTH_CLIENT_SECRET=$$(cat /run/secrets/karakeep_oauth_client_secret); export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); export NEXTAUTH_SECRET=$$(cat /run/secrets/karakeep_nextauth_secret); /init']

Unfortunately the above "hack" no longer works for 0.31.0. When the entrypoint is overridden, the following error occurs

s6-overlay-suexec: fatal: can only run as pid 1

However, as the karakeep container uses s6-overlay, after spending some time to study s6-overlay, it is possible to add a init script to load the contents of the file defined by FILE__MY_VAR into a new environment variable MY_VAR, just like linuxserver.io images. In fact, I adapted the script from linuxserver.io base images, removing bashisms as the karakeep container does not have bash.

In the folder containing the karakeep compose file, create the following folder structure:

karakeep
├── compose.yml
├── empty
└── init-envfile
    ├── run
    ├── type
    └── up

The file empty, as the name implies, is empty.

And for the remaining files:

init-envfile/run:

#!/command/with-contenv sh
# shellcheck shell=bash

if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then
    for FILENAME in /run/s6/container_environment/FILE__*; do
            SECRETFILE=$(cat "${FILENAME}")
            if [ -f ${SECRETFILE} ]; then
                FILESTRIP="$(echo ${FILENAME} | sed 's|FILE__||')"
                if [ $(tail -n1 "${SECRETFILE}" | wc -l) != 0 ]; then
                    echo "[init-envfile] Your secret: $(basename ${FILENAME})"
                    echo "           contains a trailing newline and may not work as expected"
                fi
                cat "${SECRETFILE}" >"${FILESTRIP}"
                echo "[init-envfile] $(basename ${FILESTRIP}) set from $(basename ${FILENAME})"
            else
                echo "[init-envfile] cannot find secret in $(basename ${FILENAME})"
            fi
    done
fi

init-envfile/type

oneshot

init-envfile/up

/etc/s6-overlay/s6-rc.d/init-envfile/run

Make all three files inside the init-envfile folder executable

Then, we can mount the files into the container and set our environment variables accordingly:

services:
  ...
  web:
    image: ghcr.io/karakeep-app/karakeep:0.31.0
    restart: unless-stopped
    volumes:
      - /path/to/your/directory:/data
      - ./init-envfile:/etc/s6-overlay/s6-rc.d/init-envfile
      - ./empty:/etc/s6-overlay/s6-rc.d/init-db-migration/dependencies.d/init-envfile
      - ./empty:/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile
    ...
    environment:
      ...
      FILE__OAUTH_CLIENT_SECRET: '/run/secrets/karakeep_oauth_client_secret'
      FILE__MEILI_MASTER_KEY: '/run/secrets/karakeep_meili_master_key'
      FILE__NEXTAUTH_SECRET: '/run/secrets/karakeep_nextauth_secret'
    secrets:
      - karakeep_oauth_client_secret
      - karakeep_meili_master_key
      - karakeep_nextauth_secret

Example container logs with the above modification:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service init-envfile: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
[init-envfile] MEILI_MASTER_KEY set from FILE__MEILI_MASTER_KEY
[init-envfile] NEXTAUTH_SECRET set from FILE__NEXTAUTH_SECRET
[init-envfile] OAUTH_CLIENT_SECRET set from FILE__OAUTH_CLIENT_SECRET
s6-rc: info: service init-envfile successfully started
s6-rc: info: service init-db-migration: starting
Running db migration script
s6-rc: info: service init-db-migration successfully started
s6-rc: info: service svc-workers: starting
s6-rc: info: service svc-web: starting
s6-rc: info: service svc-workers successfully started
s6-rc: info: service svc-web successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
   ▲ Next.js 15.3.8
   - Local:        http://localhost:3000
   - Network:      http://0.0.0.0:3000

 ✓ Starting...
2026-03-01T15:21:23.283Z info: Tracing is disabled
 ✓ Ready in 1144ms

Maybe I can open a PR to add the above init script into the image

<!-- gh-comment-id:3980311803 --> @kennethso168 commented on GitHub (Mar 1, 2026): > ``` > services: > ... > web: > image: ghcr.io/karakeep-app/karakeep:0.30.0 > restart: unless-stopped > ... > secrets: > - karakeep_oauth_client_secret > - karakeep_meili_master_key > - karakeep_nextauth_secret > entrypoint: ['/bin/sh', '-c', 'export OAUTH_CLIENT_SECRET=$$(cat /run/secrets/karakeep_oauth_client_secret); export MEILI_MASTER_KEY=$$(cat /run/secrets/karakeep_meili_master_key); export NEXTAUTH_SECRET=$$(cat /run/secrets/karakeep_nextauth_secret); /init'] > ``` Unfortunately the above "hack" no longer works for 0.31.0. When the entrypoint is overridden, the following error occurs ``` s6-overlay-suexec: fatal: can only run as pid 1 ``` However, as the karakeep container uses `s6-overlay`, after spending some time to study `s6-overlay`, it is possible to add a init script to load the contents of the file defined by `FILE__MY_VAR` into a new environment variable `MY_VAR`, just like `linuxserver.io` images. In fact, I adapted the script from `linuxserver.io` base images, removing bashisms as the karakeep container does not have bash. In the folder containing the karakeep compose file, create the following folder structure: ``` karakeep ├── compose.yml ├── empty └── init-envfile ├── run ├── type └── up ``` The file `empty`, as the name implies, is empty. And for the remaining files: `init-envfile/run`: ```bash #!/command/with-contenv sh # shellcheck shell=bash if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then for FILENAME in /run/s6/container_environment/FILE__*; do SECRETFILE=$(cat "${FILENAME}") if [ -f ${SECRETFILE} ]; then FILESTRIP="$(echo ${FILENAME} | sed 's|FILE__||')" if [ $(tail -n1 "${SECRETFILE}" | wc -l) != 0 ]; then echo "[init-envfile] Your secret: $(basename ${FILENAME})" echo " contains a trailing newline and may not work as expected" fi cat "${SECRETFILE}" >"${FILESTRIP}" echo "[init-envfile] $(basename ${FILESTRIP}) set from $(basename ${FILENAME})" else echo "[init-envfile] cannot find secret in $(basename ${FILENAME})" fi done fi ``` `init-envfile/type` ``` oneshot ``` `init-envfile/up` ``` /etc/s6-overlay/s6-rc.d/init-envfile/run ``` Make all three files inside the `init-envfile` folder executable Then, we can mount the files into the container and set our environment variables accordingly: ``` services: ... web: image: ghcr.io/karakeep-app/karakeep:0.31.0 restart: unless-stopped volumes: - /path/to/your/directory:/data - ./init-envfile:/etc/s6-overlay/s6-rc.d/init-envfile - ./empty:/etc/s6-overlay/s6-rc.d/init-db-migration/dependencies.d/init-envfile - ./empty:/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile ... environment: ... FILE__OAUTH_CLIENT_SECRET: '/run/secrets/karakeep_oauth_client_secret' FILE__MEILI_MASTER_KEY: '/run/secrets/karakeep_meili_master_key' FILE__NEXTAUTH_SECRET: '/run/secrets/karakeep_nextauth_secret' secrets: - karakeep_oauth_client_secret - karakeep_meili_master_key - karakeep_nextauth_secret ``` Example container logs with the above modification: ``` s6-rc: info: service s6rc-oneshot-runner: starting s6-rc: info: service s6rc-oneshot-runner successfully started s6-rc: info: service fix-attrs: starting s6-rc: info: service init-envfile: starting s6-rc: info: service fix-attrs successfully started s6-rc: info: service legacy-cont-init: starting s6-rc: info: service legacy-cont-init successfully started [init-envfile] MEILI_MASTER_KEY set from FILE__MEILI_MASTER_KEY [init-envfile] NEXTAUTH_SECRET set from FILE__NEXTAUTH_SECRET [init-envfile] OAUTH_CLIENT_SECRET set from FILE__OAUTH_CLIENT_SECRET s6-rc: info: service init-envfile successfully started s6-rc: info: service init-db-migration: starting Running db migration script s6-rc: info: service init-db-migration successfully started s6-rc: info: service svc-workers: starting s6-rc: info: service svc-web: starting s6-rc: info: service svc-workers successfully started s6-rc: info: service svc-web successfully started s6-rc: info: service legacy-services: starting s6-rc: info: service legacy-services successfully started ▲ Next.js 15.3.8 - Local: http://localhost:3000 - Network: http://0.0.0.0:3000 ✓ Starting... 2026-03-01T15:21:23.283Z info: Tracing is disabled ✓ Ready in 1144ms ``` Maybe I can open a PR to add the above init script into the image
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
refactor/use-npm-singlefile
onetab
claude/issue-2596-20260321-1401
claude/fix-docs-button-responsive-V3aBQ
claude/review-import-backpressure-D4ArJ
claude/fix-archived-bookmarks-mobile-P9OJW
claude/issue-1189-20260211-1601
claude/fix-nested-smart-lists-3uFkt
claude/issue-2298-20251223-1704
feat/import-v3
claude/add-cli-search-subcommand-6kIe0
claude/add-bookmark-indexing-timestamps-96bPj
claude/auto-disable-failing-feeds-fkDhP
claude/add-tag-search-aliases-HzESD
feat/docker-compose-dev
claude/add-attachedby-tags-endpoint-01WYfemMGHJJjXsPYLvUJAno
claude/fix-crawler-memory-leaks-NE7Ct
bookmark-debugger
claude/issue-2352-20260106-1120
claude/issue-1977-20260102-2348
claude/add-banner-rendering-JeLUk
claude/add-descendant-qualifier-cUm26
claude/skip-metadata-refresh-archives-CAo4Y
claude/fix-archive-pending-banner-pAyGM
claude/add-embeddings-support-h2swV
claude/nested-manage-lists-QVV85
claude/privacy-type-system-MG1bT
claude/add-action-menu-icons-6hNKw
claude/issue-2299-20251223-1711
claude/bookmark-indexing-progress-QwZSI
claude/migrate-bookmark-attachments-3O2te
claude/add-2025-wrapped-feature-tIUIh
claude/improve-ai-settings-design-639tq
claude/add-youtube-metascraper-plugin-0lWC7
claude/add-problem-reporting-gSSEV
claude/add-mobile-list-menus-spcS7
claude/shadcn-bookmark-cards-WWHzP
claude/add-extensions-link-HTeXc
claude/add-onboarding-screens-hsYMO
claude/fix-settings-switch-overflow-nlzM4
claude/clamp-bookmark-titles-diAEz
claude/port-stats-mobile-expo-MuXAn
claude/whats-new-base-version-vrv8C
claude/fix-settings-auth-checks-jgyD8
claude/add-server-version-display-3sGa2
claude/fix-tag-editor-scrolling-rzdbG
claude/add-company-pricing-card-y5mHY
claude/audit-optimize-transactions-xpDVc
codex/ensure-consistent-ui-experience-across-app-pages
claude/plan-opentelemetry-integration-01Jx183mz1Ev8h8JoYj97Auw
libsql
db-indicies
claude/export-import-lists-01UuCWwdaqduAd35NppvjnMD
claude/configurable-worker-timeout-0198GQh6YrrRzqG62xnogyrz
claude/check-import-quota-01CPdxTpHp18Ba62bYcBTVbA
claude/scraper-worker-thread-01FEHen6MGrQHmdBstJSuiyA
claude/customize-dialog-styling-01CVjEv2KgyZJSpCg3mqkvR7
claude/add-asset-cache-headers-0175WhNcqwiwurrmjj52jnLT
claude/add-db-search-plugin-017Xxd4Jq3MfjWT788vgfbaq
benchmarks-2
claude/add-filtered-deletion-01DTxWNcg3hhqdNpeNLa3s6L
claude/actionbutton-loading-spinner-015DY5ZTvgPgFAXTZz3UGaYv
claude/add-broken-links-qualifier-01S31X1LsKiYb9gE1dXTKvi3
claude/docker-release-tag-trigger-01UmzFXEumhK2jdmRGtMcueo
claude/spread-feed-fetch-scheduling-01EihUtmZSyqeE1HfRMessxW
restate-idempotency
claude/align-android-ios-colors-01GJfkhEyZVBReohVioPa8ok
claude/improve-mobile-app-colors-0155LzHfkd5HyJr6YyZMsus5
codex/add-autocomplete-for-search-query-language
claude/add-bookmark-backups-016L2A8Z94n7tDgDdMPdFuAd
claude/restrict-binary-user-permissions-01FSGyy2RXGZvE26YbAejzGi
effect-ts
claude/prepare-trpc-npm-publish-0193EjfwpxSNVNcLXqXjs6Ln
shared-list-sidebar
claude/lazy-load-tiktoken-017UTNpJPTcMMQvNEBa1aFwo
codex/fix-asset-pre-processing-worker-abort-signals
add-groupid
claude/add-bookmark-list-button-01VF7uXYNLsVDzqdozWMXP5M
claude/extract-shared-ui-components-01DSVfaCr6WRqAyx1vJTZk9r
claude/migrate-shadcn-sidebar-01DKjpg9MD5PJ2potemSnbvW
claude/add-collaborators-rate-limits-01VjXyRWWPUkGQKa8d8D8qKj
claude/modernize-dark-mode-01FRfE81PAY5C44pFu1cYocf
claude/add-signed-url-bookmark-01PjYT1ZhvLK2FPJNTAhJsWf
restate-group-id
claude/add-highlights-page-012vhHpn8fVNp3gf7gBeW14s
claude/disable-shared-bookmark-features-01B9fiGUdu6NyWaxSQFsQBxP
claude/mobile-bookmark-grid-layouts-018cGBBMhPJVq6PJVRBpqT2r
claude/add-mobile-bookmark-summary-01494LYoh4sJW5Fj4GPm62Vj
claude/add-mobile-tags-screen-01WRADt4ZzvXVew1Y9vqF8SV
claude/add-highlight-notes-01LpanRLS4a2YMnT1qB5GTqX
claude/add-search-bar-014k2ngaqjwYRVSvqmbuECqr
claude/hide-collaborator-emails-01TQrkkMupC7CR9BTuDkireg
claude/list-invitation-approval-0129V89M1riXW6JqmoF74VfM
claude/add-bookmark-archive-sort-018VbGPGvtmsGgXFEERoAX7B
claude/add-mobile-smart-lists-01251tYo9u1SywE6XFezAv9e
claude/bookmark-drag-drop-01DmWq286ogHpDGHKcXjKr3z
claude/add-rss-import-01DH1Q2axcDeq8nQJR5MWjPJ
claude/mobile-inapp-browser-auth-01KiT6bwyntRPQ1X4oTtAveC
claude/offline-mode-react-query-01D1rE2bdBEPw2teGqunr5Gd
claude/add-singlefile-extension-support-01BEB9QQZABzwfZDvR9Bz5b2
claude/custom-list-slugs-01VxcfkNUXZ97FNpNVURopMq
claude/issue-2148-20251118-1133
claude/add-groupid-queue-fairness-011CV1r8Wb46HuGAg5o95i3m
claude/hide-viewer-shared-lists-01Fst6NBvdxrXXnDhUmjsNDP
claude/collaborative-lists-013AvDvMqkoszDVcSoCYgBcM
claude/implement-feature-01LT5XzGsbEhZkYXNEjEwdui
claude/fix-bookmark-loading-state-01AgF4H2drxwuTCJDB2Xgiu4
claude/admin-user-edit-013tbiRmb1KX2fhSYqmGKCu8
claude/expose-all-api-01YTruEW72WQYMtq4iZoaPkA
claude/add-doc-link-main-016NYLxShpKuH6R8XCBgeZtc
claude/fix-issue-2133-019JLvdSRAUbU4FtjQztcM6S
claude/explore-effect-ts-integration-01F7xb1dWwP1ma4LnLbFGfDD
claude/optimize-dockerfile-build-011CV5gDnPZbdbbVSPDofC4e
claude/add-custom-headers-guide-011CV249t16aWDRb1mCrzQdC
claude/mobile-app-signup-011CUxPtCXgU6U3T8GShTR2Q
claude/crawler-worker-fetch-browser-011CUvcRc24XEr9DTWDW6MX8
claude/fix-issue-784-011CUvubQrcZHG9S3KjpCKbK
codex/add-user-settings-for-inference-language-and-screenshots
claude/fix-mobile-signin-server-address-011CUnaUWwY2Fhq5Xbwhgr8H
better-auth-2
claude/issue-2028-20251012-1429
claude/issue-1010-20251012-1154
codex/update-feed-refresh-job-idempotency-key
restate
import-v2
fix-public-lists
recurse-delete-list
abort-dangling-processing
tag-pagination
ratelimit-plugin
claude/issue-1937-20250914-0912
codex/implement-title-search-query-qualifier
copilot/add-edit-button-for-notes
cookie-path
ai-tag-cleanup
codex/add-allowlist-and-blocklist-env-variables
mobile-retheme
expo-next-upgrade
opencode/issue1788-20250727215611
fix-trailing-slash-deduplication
edit-bookmark-dialog
bookmark-embeddings
rag
nextjs-15
bookmark-hover-bar
sapling-pr-archive-MohamedBassem
track-bookmark-assets
json-cli
admin-settings
mobile-dark-mode
android/v1.9.2-0
ios/v1.9.1-1
android/v1.9.1-0
ios/v1.9.1-0
ios/v1.9.0-2
ios/v1.9.0-1
android/v1.9.0-1
extension/v1.2.9
cli/v0.31.0
sdk/v0.31.0
mcp/v0.31.0
android/v1.9.0-0
ios/v1.9.0-0
v0.31.0
android/v1.8.5-0
cli/v0.30.0
sdk/v0.30.0
ios/v1.8.4-0
android/v1.8.4-0
v0.30.0
cli/v0.29.1
v0.29.3
v0.29.2
v0.29.1
sdk/v0.29.0
cli/v0.29.0
mcp/v0.29.0
ios/v1.8.3-0
android/v1.8.3-0
extension/v1.2.8
v0.29.0
android/v1.8.2-2
android/v1.8.2-1
ios/v1.8.2-0
android/v1.8.2-0
extension/v1.2.7
android/v1.8.1-0
ios/v1.8.1-0
v0.28.0
cli/v0.27.1
cli/v0.27.0
v0.27.1
sdk/v0.27.0
v0.27.0
android/v1.8.0-1
ios/v1.8.0-1
mcp/v0.26.0
sdk/v0.26.0
v0.26.0
cli/v0.25.0
ios/v1.7.0-1
mcp/v0.25.0
v0.25.0
extension/v1.2.6
ios/v1.7.0-0
android/v1.7.0-0
v0.24.1
v0.24.0
mcp/v0.23.10
mcp/v0.23.9
mcp/v0.23.8
extension/v1.2.5
mcp/v0.23.7
mcp/v0.23.6
mcp/v0.23.5
mcp/v0.23.4
sdk/v0.23.2
cli/v0.23.0
extension/v1.2.4
android/v1.6.9-1
ios/v1.6.9-1
v0.23.2
v0.23.1
sdk/v0.23.0
v0.23.0
ios/v1.6.9-0
sdk/v0.22.0
v0.22.0
android/v1.6.8-0
ios/v1.6.8-0
sdk/v0.21.2
sdk/v0.21.1
sdk/v0.21.0
v0.21.0
cli/v0.20.0
v0.20.0
ios/v1.6.7-4
android/v1.6.7-4
ios/v1.6.7-3
android/v1.6.7-3
android/v1.6.7-2
ios/v1.6.7-2
android/v1.6.7-1
ios/v1.6.7-1
ios/v1.6.7-0
android/v1.6.7-0
v0.19.0
android/v1.6.6-0
android/v1.6.5-0
ios/v1.6.5-0
ios/v1.6.4-0
android/v1.6.4-0
v0.18.0
v0.17.1
v0.17.0
ios/v1.6.3-0
android/v1.6.3-0
extension/v1.2.3
ios/v1.6.2-1
android/v1.6.2-1
ios/v1.6.2-0
android/v1.6.2-0
v0.16.0
ios/v1.6.1-3
android/v1.6.1-3
ios/v1.6.1-2
android/v1.6.1-2
android/v1.6.1-1
ios/v1.6.1-1
android/v1.6.1-0
ios/v1.6.1-0
extension/v1.2.2
android/v1.6.0-1
ios/v1.6.0-1
ios/v1.6.0
android/v1.6.0
cli/v0.13.7
cli/v0.13.6
v0.15.0
cli/v0.13.5
extension/v1.2.1
v0.14.0
cli/v0.13.3
cli/v0.13.2
cli/v0.13.1
cli/v0.13.0
v0.13.1
v0.13.0
mobile-v1.5.0
mobile-v1.4.0
v0.12.2
v0.12.1
v0.12.0
v0.11.1
v0.11.0
v0.10.1
v0.10.0
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.4.1
v.0.4.0
v.0.3.1
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.0
Labels
Clear labels   
UI/UX

   
android

   
bug

   
dependencies

   
documentation

   
documentation

   
extension

   
feature request

   
feature request

   
good first issue

   
ios

   
long-term

   
performance

   
pri/high

   
pri/low

   
pri/medium

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
status/approved

   
status/icebox

   
status/pending_clarification

   
status/untriaged
No labels
UI/UX
android
bug
dependencies
documentation
documentation
extension
feature request
feature request
good first issue
ios
long-term
performance
pri/high
pri/low
pri/medium
pull-request
question
status/approved
status/icebox
status/pending_clarification
status/untriaged
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/karakeep#895
No description provided.