scripts/encrypt-plaintext-credentials.ts

/**
 * One-time migration: encrypt any plaintext credential rows in
 * `system_settings` that should now be AES-256-GCM encrypted per the
 * settings registry. Safe to re-run (idempotent — only touches plaintext
 * rows, skips rows that are already encrypted envelopes).
 *
 * Currently handles:
 *   - `documenso_api_key_override`            → in-place encrypt
 *   - `storage_s3_access_key` (legacy)        → encrypt + move to
 *                                                `storage_s3_access_key_encrypted`
 *   - `documenso_webhook_secret` (if string)  → in-place encrypt
 *
 * Run: `pnpm tsx scripts/encrypt-plaintext-credentials.ts`
 */
import { and, eq, isNull } from 'drizzle-orm';

import { db } from '@/lib/db';
import { systemSettings } from '@/lib/db/schema';
import { encrypt } from '@/lib/utils/encryption';

const KEYS_TO_ENCRYPT_IN_PLACE = ['documenso_api_key_override', 'documenso_webhook_secret'];

function isEncryptedEnvelope(value: unknown): boolean {
  return (
    typeof value === 'object' &&
    value !== null &&
    typeof (value as { iv?: unknown }).iv === 'string' &&
    typeof (value as { tag?: unknown }).tag === 'string' &&
    typeof (value as { data?: unknown }).data === 'string'
  );
}

async function encryptInPlace(key: string): Promise<{ touched: number; skipped: number }> {
  const rows = await db
    .select({ key: systemSettings.key, portId: systemSettings.portId, value: systemSettings.value })
    .from(systemSettings)
    .where(eq(systemSettings.key, key));

  let touched = 0;
  let skipped = 0;
  for (const row of rows) {
    if (isEncryptedEnvelope(row.value)) {
      skipped++;
      continue;
    }
    if (typeof row.value !== 'string' || row.value === '') {
      skipped++;
      continue;
    }
    const envelope = JSON.parse(encrypt(row.value)) as {
      iv: string;
      tag: string;
      data: string;
    };
    if (row.portId) {
      await db
        .update(systemSettings)
        .set({ value: envelope, updatedAt: new Date() })
        .where(and(eq(systemSettings.key, key), eq(systemSettings.portId, row.portId)));
    } else {
      await db
        .update(systemSettings)
        .set({ value: envelope, updatedAt: new Date() })
        .where(and(eq(systemSettings.key, key), isNull(systemSettings.portId)));
    }
    touched++;
  }
  return { touched, skipped };
}

async function moveS3AccessKeyToEncrypted(): Promise<{
  moved: number;
  alreadyMigrated: number;
}> {
  // Move global rows only — s3 storage settings are global by design.
  const legacyRows = await db
    .select({ value: systemSettings.value })
    .from(systemSettings)
    .where(and(eq(systemSettings.key, 'storage_s3_access_key'), isNull(systemSettings.portId)));

  if (legacyRows.length === 0) {
    return { moved: 0, alreadyMigrated: 0 };
  }

  // Check if the encrypted form already exists.
  const existingEncrypted = await db
    .select({ key: systemSettings.key })
    .from(systemSettings)
    .where(
      and(eq(systemSettings.key, 'storage_s3_access_key_encrypted'), isNull(systemSettings.portId)),
    );

  if (existingEncrypted.length > 0) {
    // Encrypted form wins; leave the legacy row in place so reads still
    // tolerate it (the storage layer reads both and prefers encrypted).
    return { moved: 0, alreadyMigrated: legacyRows.length };
  }

  const plaintext = legacyRows[0]!.value;
  if (typeof plaintext !== 'string' || plaintext === '') {
    return { moved: 0, alreadyMigrated: 0 };
  }
  const envelope = JSON.parse(encrypt(plaintext)) as { iv: string; tag: string; data: string };
  await db.insert(systemSettings).values({
    key: 'storage_s3_access_key_encrypted',
    portId: null,
    value: envelope,
  });
  // Drop the legacy plaintext row so it doesn't show up in admin
  // settings dumps anymore. The storage layer's backward-compat path
  // continues to handle older rows on other deployments.
  await db
    .delete(systemSettings)
    .where(and(eq(systemSettings.key, 'storage_s3_access_key'), isNull(systemSettings.portId)));
  return { moved: 1, alreadyMigrated: 0 };
}

async function main(): Promise<void> {
  console.log('Encrypting plaintext credentials...');

  for (const key of KEYS_TO_ENCRYPT_IN_PLACE) {
    const { touched, skipped } = await encryptInPlace(key);
    console.log(`  ${key}: ${touched} encrypted, ${skipped} skipped`);
  }

  const s3 = await moveS3AccessKeyToEncrypted();
  console.log(
    `  storage_s3_access_key → _encrypted: ${s3.moved} moved, ${s3.alreadyMigrated} already migrated`,
  );

  console.log('Done.');
  process.exit(0);
}

main().catch((err: unknown) => {
  console.error('Migration failed:', err);
  process.exit(1);
});
fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing- progress redesign + env-to-admin migration + dev-mode banner) with the 2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW). CRITICAL (3): - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths no longer silently drop interest links - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage — callers must go through /stage with the override-guard chain HIGH (14/15): - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across interests/documents/reservations/reminders/invoices (migration 0070) - H-02 login page reads ?redirect= param with same-origin guard - H-03 CRM invite token moves to URL fragment so it never lands in nginx access logs / Referer headers - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4) - H-05 toggleAccount writes an audit row - H-06 upsertSetting masks any value whose key ends with _encrypted - H-07 archiveClient cascade fires per-interest audit rows - H-08 createSalesTransporter applies SMTP_TIMEOUTS - H-09 AppShell stable children — viewport flip across breakpoint no longer destroys in-progress form drafts - H-10 portal documents page swaps Unicode glyph status icons for Lucide CheckCircle2/XCircle/Circle + aria-labels - H-12 list components swap alert(...) for toast.warning(...) - H-13 5 icon-only buttons gain aria-label - H-14 parseBody treats empty bodies as {} - H-15 admin layout renders a 403 panel instead of silent bounce - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet MEDIUM (28+): - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE WHEREs across custom-fields, notes (all 6 entity types x update + delete), client-contacts, yacht ownerClient lookup, webhook reads - M-D01 documents-hub realtime event-name typo (file:created -> uploaded) - M-EM01 portal-auth emails thread through portId - M-EM02 sendEmail accepts cc/bcc params - M-EM04 notification_digest catalog key - M-IN01 portal presigned download URLs use 4h TTL - M-IN02 OpenAI client lazy-instantiated - M-IN04 stale pdfme refs updated to pdf-lib AcroForm - M-IN05 umami.testConnection returns tagged union - M-L01 reservations tenure_type unified with berths - M-L02 report-generators canonicalize stage values - M-AU01 audit log placeholder copy fixed - M-AU04 outcome_set / outcome_cleared distinct audit verbs - M-NEW-2 activity feed entity name+type separator - M-R01 portal allowlist narrowed + portal_session backstop in proxy - M-SC02 companies archived partial index - M-SC04 audit_logs.searchText documented as DB-managed - M-S01 storage_s3_access_key_encrypted admin field - M-U01 audit log empty state uses <EmptyState> - M-U09 invoice delete dialog -> <AlertDialog> - M-U10 toast.success on ClientForm + InterestForm create/edit - M-U11 settings-form-card logo preview alt text - M-U14 mobile topbar title on clients/yachts/interests/berths - M-U15 Invoices in mobile More-sheet LOW (6/8): - L-AU01 severity defaults for security-relevant verbs - L-AU02 +13 missing actions in admin audit filter - L-AU03 +7 missing entity types in admin audit filter - L-AU04 dead listAuditLogs stubbed - L-D02 CLAUDE.md Owner-wins chain tightened Bonus — Document detail polish (#67 partial, 3/6 deliverables): - state-aware action button per signer - watcher Add UI with display-name resolution - cleanSignerName cleanup Prior session work bundled in: - Documenso v2 webhook + envelope-ID normalization + sequential signing - SigningProgress UI redesign (avatars, per-signer state, timestamps) - env->admin settings registry + RegistryDrivenForm + encrypted creds - Embedded-signing card + Test connection + setup help - Dev-mode EMAIL_REDIRECT_TO banner - Pipeline rules admin page - Sales email config card - Audit log details Sheet - EOI tab: Finalising badge, absolute timestamps, sequential indicator - Notes pipeline_stage_at_creation (migration 0069) - Documenso numeric ID dual-key webhook (migration 0068) - Dimensions criterion copy (migration 0067) Tests: 1374/1374 vitest pass. tsc clean. lint clean. See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and the user-input items still pending. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-18 13:28:50 +02:00			`/**`
			`* One-time migration: encrypt any plaintext credential rows in`
			* `system_settings` that should now be AES-256-GCM encrypted per the
			`* settings registry. Safe to re-run (idempotent — only touches plaintext`
			`* rows, skips rows that are already encrypted envelopes).`
			`*`
			`* Currently handles:`
			* - `documenso_api_key_override` → in-place encrypt
			* - `storage_s3_access_key` (legacy) → encrypt + move to
			* `storage_s3_access_key_encrypted`
			* - `documenso_webhook_secret` (if string) → in-place encrypt
			`*`
			* Run: `pnpm tsx scripts/encrypt-plaintext-credentials.ts`
			`*/`
			`import { and, eq, isNull } from 'drizzle-orm';`

			`import { db } from '@/lib/db';`
			`import { systemSettings } from '@/lib/db/schema';`
			`import { encrypt } from '@/lib/utils/encryption';`

			`const KEYS_TO_ENCRYPT_IN_PLACE = ['documenso_api_key_override', 'documenso_webhook_secret'];`

			`function isEncryptedEnvelope(value: unknown): boolean {`
			`return (`
			`typeof value === 'object' &&`
			`value !== null &&`
			`typeof (value as { iv?: unknown }).iv === 'string' &&`
			`typeof (value as { tag?: unknown }).tag === 'string' &&`
			`typeof (value as { data?: unknown }).data === 'string'`
			`);`
			`}`

			`async function encryptInPlace(key: string): Promise<{ touched: number; skipped: number }> {`
			`const rows = await db`
			`.select({ key: systemSettings.key, portId: systemSettings.portId, value: systemSettings.value })`
			`.from(systemSettings)`
			`.where(eq(systemSettings.key, key));`

			`let touched = 0;`
			`let skipped = 0;`
			`for (const row of rows) {`
			`if (isEncryptedEnvelope(row.value)) {`
			`skipped++;`
			`continue;`
			`}`
			`if (typeof row.value !== 'string' \|\| row.value === '') {`
			`skipped++;`
			`continue;`
			`}`
			`const envelope = JSON.parse(encrypt(row.value)) as {`
			`iv: string;`
			`tag: string;`
			`data: string;`
			`};`
			`if (row.portId) {`
			`await db`
			`.update(systemSettings)`
			`.set({ value: envelope, updatedAt: new Date() })`
			`.where(and(eq(systemSettings.key, key), eq(systemSettings.portId, row.portId)));`
			`} else {`
			`await db`
			`.update(systemSettings)`
			`.set({ value: envelope, updatedAt: new Date() })`
			`.where(and(eq(systemSettings.key, key), isNull(systemSettings.portId)));`
			`}`
			`touched++;`
			`}`
			`return { touched, skipped };`
			`}`

			`async function moveS3AccessKeyToEncrypted(): Promise<{`
			`moved: number;`
			`alreadyMigrated: number;`
			`}> {`
			`// Move global rows only — s3 storage settings are global by design.`
			`const legacyRows = await db`
			`.select({ value: systemSettings.value })`
			`.from(systemSettings)`
			`.where(and(eq(systemSettings.key, 'storage_s3_access_key'), isNull(systemSettings.portId)));`

			`if (legacyRows.length === 0) {`
			`return { moved: 0, alreadyMigrated: 0 };`
			`}`

			`// Check if the encrypted form already exists.`
			`const existingEncrypted = await db`
			`.select({ key: systemSettings.key })`
			`.from(systemSettings)`
			`.where(`
			`and(eq(systemSettings.key, 'storage_s3_access_key_encrypted'), isNull(systemSettings.portId)),`
			`);`

			`if (existingEncrypted.length > 0) {`
			`// Encrypted form wins; leave the legacy row in place so reads still`
			`// tolerate it (the storage layer reads both and prefers encrypted).`
			`return { moved: 0, alreadyMigrated: legacyRows.length };`
			`}`

			`const plaintext = legacyRows[0]!.value;`
			`if (typeof plaintext !== 'string' \|\| plaintext === '') {`
			`return { moved: 0, alreadyMigrated: 0 };`
			`}`
			`const envelope = JSON.parse(encrypt(plaintext)) as { iv: string; tag: string; data: string };`
			`await db.insert(systemSettings).values({`
			`key: 'storage_s3_access_key_encrypted',`
			`portId: null,`
			`value: envelope,`
			`});`
			`// Drop the legacy plaintext row so it doesn't show up in admin`
			`// settings dumps anymore. The storage layer's backward-compat path`
			`// continues to handle older rows on other deployments.`
			`await db`
			`.delete(systemSettings)`
			`.where(and(eq(systemSettings.key, 'storage_s3_access_key'), isNull(systemSettings.portId)));`
			`return { moved: 1, alreadyMigrated: 0 };`
			`}`

			`async function main(): Promise<void> {`
			`console.log('Encrypting plaintext credentials...');`

			`for (const key of KEYS_TO_ENCRYPT_IN_PLACE) {`
			`const { touched, skipped } = await encryptInPlace(key);`
			console.log(` ${key}: ${touched} encrypted, ${skipped} skipped`);
			`}`

			`const s3 = await moveS3AccessKeyToEncrypted();`
			`console.log(`
			` storage_s3_access_key → _encrypted: ${s3.moved} moved, ${s3.alreadyMigrated} already migrated`,
			`);`

			`console.log('Done.');`
			`process.exit(0);`
			`}`

			`main().catch((err: unknown) => {`
			`console.error('Migration failed:', err);`
			`process.exit(1);`
			`});`