Add database migration scripts and configuration files

- Add verify-migration.js script for testing database migrations
- Add database config module for centralized configuration
- Add chutes.txt prompt for system responses
- Update database implementation and testing documentation
- Add database migration and setup scripts
- Update session system and LLM tool configuration
- Update deployment checklist and environment example
- Update Dockerfile and docker-compose configuration

chat/DATABASE_IMPLEMENTATION.md

@@ -5,7 +5,7 @@ This implementation adds database encryption at rest and secure session manageme
 ## Features
 
 ### Phase 1.2: Database with Encryption at Rest
-- ✅ SQLite database with better-sqlite3
+- ✅ SQLCipher-encrypted SQLite database with better-sqlite3
 - ✅ Field-level AES-256-GCM encryption for sensitive data
 - ✅ PBKDF2 key derivation (100,000 iterations)
 - ✅ WAL mode for better concurrency
@@ -24,16 +24,17 @@ This implementation adds database encryption at rest and secure session manageme
 ## Architecture
 
 ### Database Schema
-- **users**: User accounts with encrypted email, name, 2FA secrets
+- **users**: User accounts with encrypted email, name, 2FA secrets + JSON data column
 - **sessions**: Active sessions for revocation
 - **refresh_tokens**: Refresh tokens with device fingerprinting
 - **token_blacklist**: Immediate token revocation
-- **affiliates**, **withdrawals**, **feature_requests**, **contact_messages**
+- **affiliate_accounts** (current app), **affiliates** (legacy), **withdrawals**, **feature_requests**, **contact_messages**
 - **audit_log**: Comprehensive security event logging
 - **payment_sessions**: DoDo payment tracking
 
 ### Encryption
-- **Algorithm**: AES-256-GCM with authenticated encryption
+- **Database**: SQLCipher encryption at rest
+- **Algorithm**: AES-256-GCM with authenticated encryption (field-level)
 - **Key Derivation**: PBKDF2 with 100,000 iterations
 - **Per-field**: Sensitive fields encrypted individually
 - **Token Storage**: PBKDF2 hashed (not encrypted) for secure comparison
@@ -65,8 +66,12 @@ Optional:
 ```bash
 USE_JSON_DATABASE=1              # Use JSON files instead of database (for rollback)
 DATABASE_PATH=./.data/shopify_ai.db
+DATABASE_KEY_FILE=./.data/.encryption_key
 DATABASE_BACKUP_ENABLED=1
 DATABASE_WAL_MODE=1
+DATABASE_USE_SQLCIPHER=1
+DATABASE_CIPHER_COMPAT=4
+DATABASE_KDF_ITER=64000
 JWT_ACCESS_TOKEN_TTL=900         # 15 minutes in seconds
 JWT_REFRESH_TOKEN_TTL=604800     # 7 days in seconds
 ```
@@ -135,14 +140,14 @@ export USE_JSON_DATABASE=1
 
 ### Verify Database Setup
 ```bash
-# Check database exists and tables are created
-sqlite3 ./.data/shopify_ai.db ".tables"
+# Check database exists and tables are created (SQLCipher)
+sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"
 
 # Should output:
-# affiliates         payment_sessions   token_blacklist
-# audit_log          refresh_tokens     users
-# contact_messages   sessions           withdrawals
-# feature_requests
+# affiliate_accounts payment_sessions   token_blacklist
+# affiliates         refresh_tokens     users
+# audit_log          sessions           withdrawals
+# contact_messages   feature_requests
 ```
 
 ### Test Encryption
@@ -161,8 +166,8 @@ node scripts/migrate-to-database.js
 
 ### Database Health
 - Check file size: `ls -lh ./.data/shopify_ai.db`
-- Check WAL mode: `sqlite3 ./.data/shopify_ai.db "PRAGMA journal_mode;"`
-- Check tables: `sqlite3 ./.data/shopify_ai.db ".tables"`
+- Check WAL mode: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; PRAGMA journal_mode;"`
+- Check tables: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"`
 
 ### Audit Logs
 Audit logs are stored in the `audit_log` table and include: