thcode stores every conversation in a single SQLite database that lives in the native user-state directory for the current OS user. Session metadata, transcript entries, token ledger records, and context extensions are all encrypted before they reach the database. A separate durable event journal — co-located in the same SQLite file — provides crash-consistent commit visibility for every operation that modifies session state. Together, these two layers mean your conversation history survives process crashes, model switches, and workspace moves while remaining unreadable without the per-install encryption key.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Temicide/thcode/llms.txt
Use this file to discover all available pages before exploring further.
Platform Paths
The database path is determined bysessionsDbPath() in platform/paths.ts, which resolves to the OS-native user-state directory:
| Platform | Path |
|---|---|
| Windows | %LOCALAPPDATA%\thcode\sessions.db |
| macOS | ~/Library/Application Support/thcode/sessions.db |
| Linux | $XDG_STATE_HOME/thcode/sessions.db (fallback: ~/.local/state/thcode/sessions.db) |
Encryption at Rest
Every sensitive field is encrypted with AES-256-GCM before it is written to SQLite (ADR 0018). This includes transcript content, session names, workspace paths, context extension envelopes, and any other content capable of revealing source code or personal data.The EncryptedField Envelope
Key Lifecycle
A 32-byte random data-encryption key (generateDataKey()) is generated on first use and stored in the operating-system credential store — Windows Credential Manager on Windows-first deployments. The key is never written to SQLite, project files, logs, prompts, or telemetry.
SessionStore.open() returns { ok: false, mode: 'recovery-locked' } and refuses to open — it never replaces a key that might be the only key capable of decrypting existing data.
Workspace Binding Index
The workspace path stored per session is encrypted. However, SQLite needs to filter sessions by workspace without decrypting every row. This is solved with a keyed, non-reversible HMAC:sessions.workspace_index and used for workspace-filtered listing.
SessionStore
SessionStore is the SQLite-backed repository for all session data. It is opened via the static SessionStore.open() factory, which also runs schema migration and journal DDL initialization.
The store exposes typed methods for all session operations:
SQLite operates in WAL (Write-Ahead Log) mode. This provides atomic writes and allows the journal and session tables to be updated in coordinated transactions.
TranscriptRole Types
TranscriptEntry carries a sequential seq number within its session, a role, an encrypted content field, and a timestamp. Transcript content is decrypted on read inside the trusted thcode process — SQLite never holds plaintext content.
SessionJournal
The journal is the sole commit-visibility authority for all durable operations. It is stored in the same SQLite file as session data, co-created by the sameSessionStore.open() call via JOURNAL_DDL.
SessionRepository.append() wraps every write in a single SQLite transaction that allocates the next (session_id, seq) and aggregate_version in one atomic step. Re-appending the same event_id is a no-op — the journal is idempotent by event identity.
Recovery Pass
On everySessionRepository construction, a recovery pass runs:
- It finds all operations with a lifecycle-fact event (
EffectDispatchCommitted) that have no corresponding terminal event (OperationSucceeded,OperationFailed,OperationBlocked,OperationCancelled,OperationUnknownOutcome). - For each incomplete operation, it appends an
OperationUnknownOutcomeevent.
Global vs. Local Session Stores
Sessions are global to the local OS user, not scoped to a single workspace (ADR 0017). This means:/sessioncan browse sessions from any working directory- Sessions can be filtered by current workspace, other workspaces, or unbound sessions
- Deleting or moving a workspace does not delete the session transcript
Global Store
One SQLite file at the OS-native user-state path. Stores all sessions across all workspaces. Survives workspace deletion.
Workspace Binding
Each session records its workspace path (encrypted) and a workspace index (HMAC). The binding is preserved, not overwritten, on re-open from another directory.
Saved Transcript vs. Active Context
A session’s Saved Transcript and the Active Model Context are distinct and independently managed (ADR 0014):- Saved Transcript
- Active Model Context
The complete, unabridged conversation history persisted in the encrypted
transcript_entries table. Every turn is stored verbatim and is never deleted, rewritten, or compacted by automatic processes. Users can browse the full history at any time regardless of context budget.Context Utilization Meter
The context utilization meter reports Active Context Utilization as a percentage of the selected model’s Effective Context Capacity (ADR 0015). This is not cumulative token usage.Ctx N%, where N is the current utilization percentage. Severity bands apply additional styling:
| Range | Band |
|---|---|
| 0–69% | Green |
| 70–84% | Amber |
| 85–94% | Orange |
| 95–100% | Red |
Context Compaction
compactContext() runs automatically before a provider call if the projected Active Model Context would exceed Effective Context Capacity. It targets ≤70% utilization after compaction:
- Identifies old, unprotected (non-pinned) items
- Replaces their content with a deterministic summary (up to 240 characters)
- Marks the items as
compactedwith a transformation record - Re-checks that protected content still fits
Session Restoration Boundary
Opening a Saved Session restores its complete knowledge state but resets authority (ADR 0016): Restored from storage:- Complete Chat Transcript
- Selected model and Work Mode
- Pinned turns and compaction history
- Referenced-artifact manifest and plans
- Tool and verification history
- Cumulative Token Usage
- Workspace path
- Runtime Activation (always fresh)
- Permission Profile (always resets to Manual)
- Full Access (never restored)
- Sensitive-transfer authorization (never restored)
- Temporary action approvals (never restored)