v0.1.9 — feat: per-category encryption keys to reduce blast radius
Release v0.1.9: Per-Category Encryption Keys
v0.1.9 replaces single-key encryption with four dedicated AES-256-GCM keys — one each for OAuth tokens, GitHub PATs, Neon connection strings, and project environment variables.
What Changed
- Added
OAUTH_ENCRYPTION_KEY,GITHUB_ENCRYPTION_KEY,NEON_ENCRYPTION_KEY,ENV_VAR_ENCRYPTION_KEYenvironment variables - New functions:
encryptOAuth/decryptOAuth,encryptGitHub/decryptGitHub,encryptNeon/decryptNeon,encryptEnvVar/decryptEnvVar - Migration helper:
reEncryptForCategory()for rotating existing secrets - All category-specific decryption falls back to the default key for backward compatibility
Why It Matters
A compromise of any single encryption key now only exposes secrets in that category. GitHub PATs remain protected even if the OAuth key is compromised, and Neon connection strings stay isolated from environment variables.
Migration
No immediate action required. Generate the four new keys and trigger the rotation job when ready — all existing data migrates automatically.
Release Notes
Successfully squash-merged PR #415 ("feat: per-category encryption keys to reduce blast radius") into main at commit 73b697f. The PR introduces per-category AES-256-GCM encryption keys (OAUTH_ENCRYPTION_KEY, GITHUB_ENCRYPTION_KEY, NEON_ENCRYPTION_KEY, ENV_VAR_ENCRYPTION_KEY) so that a compromise of any single key only exposes secrets in that one category — a major blast-radius reduction. The change is fully backward-compatible with automatic fallback to the default key for legacy data, and includes a rotation Inngest job for migrating existing secrets. 19 files changed (+559/−110). The release tag v0.1.9 already existed in the repository, so no new release object was created — the merge stands and the code is live on main.