Commit Graph

1 Commits

Author SHA1 Message Date
null b95f771d18 test(security): lock in encryptionService — the secret-at-rest crown jewel (Phase 1)
Zero coverage on the AES-256-GCM + HKDF crypto that protects SimpleFIN
bank tokens, TOTP/recovery secrets, SMTP/OIDC creds and login-history
PII. A silent break in decryptSecret or the startup reEncryptWithEnvKey
migration would render every stored secret unrecoverable, invisibly.

Covers: round-trip on both key paths (env e2: / db v2:), unicode/empty/
large payloads, GCM tamper rejection, legacy (pre-v0.78 SHA-256) decrypt,
the env-key-required error, and the migration (migrate/skip/idempotent/
corrupt-tolerant). Suite 200 green.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
2026-07-05 12:55:51 -05:00