forked from molecule-ai/molecule-core
262a52a32c
External architecture review flagged the SECRETS_ENCRYPTION_KEY env var on the platform as encryption-at-rest theater. The reviewer read only the platform repo and missed that the master key actually lives in AWS KMS at the control plane layer, with envelope encryption wrapping each tenant secret blob. Adds docs/architecture/secrets-key-custody.md as the canonical source of truth for the full chain: - Two-mode envelope (KMS_KEY_ARN vs static-key fallback) - Per-blob AES-256-GCM with KMS-wrapped DEKs - Where each key actually lives (KMS, CP env, tenant env) - Threat model per attacker capability - Rotation story (annual KMS CMK rotation, manual DEK rotation on incident) - Audit posture (SOC2 / ISO 27001 questionnaire bullets) Patches three downstream docs that previously stopped at the env-var level and link them to the new custody doc: - development/constraints-and-rules.md (Rule 11) - architecture/database-schema.md (workspace_secrets paragraph) - architecture/molecule-technical-doc.md (env-vars table) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| architecture.md | ||
| backends.md | ||
| canary-release.md | ||
| database-schema.md | ||
| event-log.md | ||
| memory.md | ||
| molecule-technical-doc.md | ||
| org-api-keys.md | ||
| overview.md | ||
| partner-api-keys.md | ||
| provisioner.md | ||
| saas-prod-migration-2026-04-19.md | ||
| secrets-key-custody.md | ||
| staging-environment.md | ||
| technology-choices.md | ||
| tenant-image-upgrades.md | ||
| wildcard-dns-proxy.md | ||
| workspace-tiers.md | ||