docs(dev): integrate rest of the documentation

docs/Developer Guide/Developer Guide/Architecture.md

@@ -118,4 +118,85 @@ desktop → client → commons
 server  → client → commons
 client  → ckeditor5, codemirror, highlightjs
 ckeditor5 → ckeditor5-* plugins
-```
+```
+
+## Security summary
+
+### Encryption System
+
+**Per-Note Encryption:**
+
+*   Notes can be individually protected
+*   AES-128-CBC encryption for encrypted notes.
+*   Separate protected session management
+
+**Protected Session:**
+
+*   Time-limited access to protected notes
+*   Automatic timeout
+*   Re-authentication required
+*   Frontend: `protected_session.ts`
+*   Backend: `protected_session.ts`
+
+### Authentication
+
+**Password Auth:**
+
+*   PBKDF2 key derivation
+*   Salt per installation
+*   Hash verification
+
+**OpenID Connect:**
+
+*   External identity provider support
+*   OAuth 2.0 flow
+*   Configurable providers
+
+**TOTP (2FA):**
+
+*   Time-based one-time passwords
+*   QR code setup
+*   Backup codes
+
+### Authorization
+
+**Single-User Model:**
+
+*   Desktop: single user (owner)
+*   Server: single user per installation
+
+**Share Notes:**
+
+*   Public access without authentication
+*   Separate Shaca cache
+*   Read-only access
+
+### CSRF Protection
+
+**CSRF Tokens:**
+
+*   Required for state-changing operations
+*   Token in header or cookie
+*   Validation middleware
+
+### Input Sanitization
+
+**XSS Prevention:**
+
+*   DOMPurify for HTML sanitization
+*   CKEditor content filtering
+*   CSP headers
+
+**SQL Injection:**
+
+*   Parameterized queries only
+*   Better-sqlite3 prepared statements
+*   No string concatenation in SQL
+
+### Dependency Security
+
+**Vulnerability Scanning:**
+
+*   Renovate bot for updates
+*   npm audit integration
+*   Override vulnerable sub-dependencies