feat(vault): encryption-at-rest with XChaCha20-Poly1305#81
Open
feat(vault): encryption-at-rest with XChaCha20-Poly1305#81
Conversation
New `moltis-vault` crate providing encryption-at-rest for sensitive data. Password-derived KEK wraps a random DEK via Argon2id. Trait-based Cipher abstraction allows swapping backends. Recovery key generated at vault creation. Gateway integration: - Feature flag `vault` (default-enabled) - vault_guard middleware returns 423 Locked when sealed - Vault API routes: status, unlock, recovery - Setup handler initializes vault and returns recovery key - Login handler unseals vault and migrates plaintext env vars - Change password re-wraps vault DEK - CredentialStore encrypts/decrypts env variable values - GonData exposes vault_status to frontend Plans written for vault architecture and proxy credential injection (TLS MITM for runtime secret protection).
Contributor
Merging this PR will improve performance by ×2.1
Performance Changes
Comparing 
Footnotes
|
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Resolve conflicts from main merge: - auth_routes: keep vault unseal on login + adopt session_response headers param and localhost cookie domain tests from main - server: adopt add_feature_routes rename (middleware moved to router-level auth_gate), keep vault_guard as separate router-level layer - server GonData: keep vault_status field alongside new sandbox and routes fields - Rename env_variables_encrypted migration (20260210100000 → 20260210200000) to avoid timestamp collision with sessions' session_version migration
The vault_guard middleware was returning 423 Locked for all API routes when the vault was uninitialized (no password set yet). Now it only blocks when the vault is sealed (initialized but not unlocked), letting fresh installations work normally.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
moltis-vaultcrate: XChaCha20-Poly1305 encryption-at-rest with trait-basedCipherabstraction, Argon2id KDF, recovery key support, and 38 unit testsvaultfeature flag (default-enabled),vault_guardmiddleware (423 Locked), vault API routes, CredentialStore env var encryption/decryption, GonDatavault_statusplans/encryption-at-rest-vault.mdandplans/proxy-credential-injection.mdValidation
Completed
cargo +nightly fmt --all --check— cleancargo +nightly clippy --workspace --all-targets— 0 warningscargo test -p moltis-vault— 38 tests passcargo test -p moltis-gateway— 33 tests pass (27 auth + 6 chat)cargo test --workspace— all pass, 0 failurestaplo fmt— TOML formattedcargo fetch --locked— lockfile in syncRemaining
Manual QA
Not yet performed — requires frontend work (unlock page) to test the full user flow. Backend-only verification done via test suite.
🤖 Generated with Claude Code