set default metadata encryption to flat

Author: ehsan6sha

README.md

@@ -136,17 +136,19 @@ async fn main() -> anyhow::Result<()> {
 ```rust
 use fula_client::{Config, EncryptedClient, EncryptionConfig};
 
+// FlatNamespace mode is default - complete structure hiding!
+// Server sees only random CID-like hashes (QmX7a8f3e2d1...)
 let encryption = EncryptionConfig::new();
 let client = EncryptedClient::new(
     Config::new("http://localhost:9000"),
     encryption,
 )?;
 
-// Data is encrypted before upload
-client.put_object_encrypted("bucket", "secret.txt", b"sensitive data").await?;
+// Data encrypted with FlatNamespace - server cannot see folder structure
+client.put_object_flat("bucket", "/photos/vacation/beach.jpg", data, None).await?;
 
-// Data is decrypted after download
-let data = client.get_object_decrypted("bucket", "secret.txt").await?;
+// List files from encrypted PrivateForest index
+let files = client.list_files_from_forest("bucket").await?;
 ```
 
 ### Large File Uploads
@@ -255,7 +257,8 @@ cargo run --example flat_namespace_demo
 
 ### Key Management
 
-- Generate keys locally using `EncryptionConfig::new()`
+- Generate keys locally using `EncryptionConfig::new()` (uses FlatNamespace by default)
+- Complete structure hiding - server cannot see folder/file relationships
 - Export/backup secret keys securely
 - Lost keys = lost data (no recovery possible)
 

crates/fula-client/src/encryption.rs

@@ -29,12 +29,18 @@ pub struct EncryptionConfig {
 }
 
 impl EncryptionConfig {
-    /// Create with a new random key (metadata privacy enabled by default)
+    /// Create a new encryption config with random keys
+    /// Metadata privacy is ENABLED by default with FlatNamespace mode (RECOMMENDED)
+    /// 
+    /// FlatNamespace provides complete structure hiding:
+    /// - Storage keys look like random CID-style hashes
+    /// - No prefixes or structure hints visible to server
+    /// - Server cannot determine folder structure or parent/child relationships
     pub fn new() -> Self {
         Self {
             key_manager: Arc::new(KeyManager::new()),
             metadata_privacy: true,
-            obfuscation_mode: KeyObfuscation::DeterministicHash,
+            obfuscation_mode: KeyObfuscation::FlatNamespace,
         }
     }
 
@@ -64,12 +70,12 @@ impl EncryptionConfig {
         }
     }
 
-    /// Create from an existing secret key
+    /// Create from an existing secret key (uses FlatNamespace by default)
     pub fn from_secret_key(secret: fula_crypto::keys::SecretKey) -> Self {
         Self {
             key_manager: Arc::new(KeyManager::from_secret_key(secret)),
             metadata_privacy: true,
-            obfuscation_mode: KeyObfuscation::DeterministicHash,
+            obfuscation_mode: KeyObfuscation::FlatNamespace,
         }
     }
 

docs/website/sdk.html

@@ -245,10 +245,10 @@ <h3>What's Protected</h3>
 
                     <h3>Obfuscation Modes</h3>
                     <ul>
-                        <li><strong>DeterministicHash</strong> - Same path → same key (default)</li>
+                        <li><strong>FlatNamespace (Default)</strong> - Complete structure hiding, maximum privacy</li>
+                        <li><strong>DeterministicHash</strong> - Same path → same key</li>
                         <li><strong>RandomUuid</strong> - Random key per upload</li>
                         <li><strong>PreserveStructure</strong> - Keep folders, hash filenames</li>
-                        <li><strong>FlatNamespace</strong> - Complete structure hiding (RECOMMENDED)</li>
                     </ul>
                 </div>
                 <div class="example">
@@ -258,7 +258,7 @@ <h3>Obfuscation Modes</h3>
                     </div>
                     <pre><code class="language-rust">use fula_client::{EncryptedClient, EncryptionConfig, KeyObfuscation, Config};
 
-// Metadata privacy is ENABLED by default
+// FlatNamespace (maximum privacy) is ENABLED by default
 let encryption = EncryptionConfig::new();
 
 // Or customize the obfuscation mode

docs/website/security.html

@@ -1125,13 +1125,13 @@ <h3>How It Works</h3>
                     <h3>Key Obfuscation Modes</h3>
                     <div class="modes-grid">
                         <div class="mode-card recommended">
-                            <h4>🌟 FlatNamespace (RECOMMENDED)</h4>
+                            <h4>🌟 FlatNamespace (DEFAULT)</h4>
                             <p>Complete structure hiding. Server sees only random CID-like hashes. Inspired by WNFS and Peergos.</p>
                             <code>/photos/beach.jpg → QmX7a8f3e2d1c9b4a5</code>
                             <small>No prefixes, no structure hints. Directory tree stored in encrypted PrivateForest index.</small>
                         </div>
                         <div class="mode-card">
-                            <h4>DeterministicHash (Default)</h4>
+                            <h4>DeterministicHash</h4>
                             <p>Same file path → Same storage key. Allows retrieval without local index.</p>
                             <code>/photos/beach.jpg → e/a7c3f9b2e8d14a6f</code>
                         </div>
@@ -1153,8 +1153,8 @@ <h3>Code Example</h3>
                     <div class="code-snippet">
                         <pre>use fula_client::{EncryptedClient, EncryptionConfig, KeyObfuscation};
 
-// RECOMMENDED: FlatNamespace for complete structure hiding
-let config = EncryptionConfig::new_flat_namespace();
+// DEFAULT: FlatNamespace for complete structure hiding
+let encryption = EncryptionConfig::new();  // FlatNamespace by default!
 let client = EncryptedClient::new(config, encryption)?;
 
 // Upload - server sees: QmX7a8f3e2d1c9b4a5e6f7d8...
@@ -1166,18 +1166,19 @@ <h3>Code Example</h3>
 // Server sees NOTHING about your folder structure!
 
 // ─────────────────────────────────────────────────────────
-// Alternative modes:
+// Alternative modes (for specific use cases):
 // ─────────────────────────────────────────────────────────
 
-// Default: deterministic hashing (reveals 'e/' prefix)
-let config = EncryptionConfig::new();
+// DeterministicHash - same path = same key, no local index needed
+let encryption = EncryptionConfig::new()
+    .with_obfuscation_mode(KeyObfuscation::DeterministicHash);
 
-// Customize obfuscation mode
-let config = EncryptionConfig::new()
+// PreserveStructure - keeps folder paths visible
+let encryption = EncryptionConfig::new()
     .with_obfuscation_mode(KeyObfuscation::PreserveStructure);
 
-// Disable metadata privacy (not recommended)
-let config = EncryptionConfig::new_without_privacy();
+// Disable metadata privacy entirely (not recommended)
+let encryption = EncryptionConfig::new_without_privacy();
 
 // Get full metadata including original filename
 let info = client.get_object_with_private_metadata(bucket, storage_key).await?;