feat(vault): add encryption-at-rest vault for environment variables

[penso]

Summary

• Adds a new moltis-vault crate implementing XChaCha20-Poly1305 encryption-at-rest with Argon2id key derivation
• Two-layer key hierarchy (Password → KEK → DEK) so password changes only re-wrap the DEK
• Recovery key support (128-bit random, 32-char alphanumeric encoding) for emergency vault access
• Integrates with auth flow: vault initializes on setup, unseals on login, re-wraps on password change
• Vault guard middleware blocks API requests with 423 Locked when sealed (not when uninitialized)
• Environment variables encrypted with AAD (env:{key}) to prevent ciphertext swapping
• Plaintext → encrypted migration runs automatically on vault unseal
• Vault status exposed in gon data (window.__MOLTIS__.vaultStatus) for frontend
• Full documentation in docs/src/vault.md

Crate structure (crates/vault/)

Module	Purpose
vault.rs	Core Vault struct with init/unseal/seal/encrypt/decrypt/change_password
kdf.rs	Argon2id key derivation with configurable params
xchacha20.rs	XChaCha20-Poly1305 AEAD encrypt/decrypt with AAD
key_wrap.rs	DEK wrapping/unwrapping with KEK
recovery.rs	Recovery key generation, encoding, and verification
migration.rs	Plaintext → encrypted env var migration
error.rs	VaultError enum via thiserror
traits.rs	VaultBackend trait for testing

Integration points

• auth_routes.rs: Vault init on setup (returns recovery key), unseal on login, re-wrap on password change
• auth_middleware.rs: Vault guard layer blocks API when sealed
• credential_store.rs: Encrypt/decrypt env vars via vault
• state.rs: vault: Option<Arc<Vault>> field on GatewayState
• server.rs: Vault initialization at startup
• templates.rs: Vault status in gon data

Validation

Completed

• cargo check -p moltis-vault — compiles clean
• cargo test -p moltis-vault — 38 tests pass
• cargo test -p moltis-auth --features vault — 40 tests pass
• cargo test -p moltis-gateway — 49 tests pass
• cargo check -p moltis (full CLI) — compiles clean
• just format — formatted
• Clippy clean on vault-affected crates
• mdbook build — docs build successfully

Remaining

• E2E tests for vault unlock UI flow
• KeyStore/TokenStore encryption (blocked on async refactor)
• local-validate.sh (requires PR number)

Manual QA

• Verified vault API signatures match integration code
• Cross-referenced docs against actual source (KDF params, recovery key format, DB schema)
• Confirmed vault guard only blocks on sealed state, not uninitialized

[codspeed-hq]

Merging this PR will not alter performance

✅ 39 untouched benchmarks
⏩ 5 skipped benchmarks¹

---

_{Comparing vault-encryption (500c14a) with main (7eae997)}

Footnotes

1. 5 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[codecov]

Codecov Report

❌ Patch coverage is 87.42138% with 140 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/gateway/src/auth_routes.rs	19.38%	79 Missing ⚠️
crates/gateway/src/server.rs	11.11%	16 Missing ⚠️
crates/gateway/src/auth_middleware.rs	40.00%	12 Missing ⚠️
crates/vault/src/key_wrap.rs	88.60%	9 Missing ⚠️
crates/vault/src/migration.rs	94.79%	9 Missing ⚠️
crates/auth/src/credential_store.rs	93.44%	8 Missing ⚠️
crates/vault/src/vault.rs	98.61%	4 Missing ⚠️
crates/web/src/templates.rs	40.00%	3 Missing ⚠️

📢 Thoughts on this report? Let us know!