fix(instanda): set env on go-live, correct secrets docblock, add feed advisory

- F-03: switch_to_live() now sets espinstanda_env=live so environment() actually
  resolves to Live after go-live (was leaving real quotes on the Test endpoint).
- F-04: correct the class-config docblock overstating the at-rest guarantee; it
  only holds when SPG_INSTANDA_KEY is a constant (else the key is self-provisioned
  into the same DB as the ciphertext).
- F-02: add advisory A5 "exactly one active INSTANDA feed" to catch a stray
  test-form feed that also creates quotes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 16:06:10 -06:00
co-authored by Claude Fable 5
parent 9883323161
commit 4d7abdbb3b
2 changed files with 29 additions and 2 deletions
@@ -9,8 +9,11 @@
* an explicit, gated switch to Live - see the Go-Live checklist.
*
* Secrets entered in the admin UI are encrypted at rest with libsodium
* (sodium_crypto_secretbox, XSalsa20-Poly1305). The key comes from the
* SPG_INSTANDA_KEY constant, so a database dump alone never exposes a usable secret.
* (sodium_crypto_secretbox, XSalsa20-Poly1305). The "a database dump alone never
* exposes a usable secret" guarantee holds ONLY when the SPG_INSTANDA_KEY constant is
* set: without it the key is self-provisioned into the DB (see db_key()), so the key
* and ciphertext live in the same database and a dump recovers the password. Set
* SPG_INSTANDA_KEY (and the credential constants) in production for the hardened posture.
* Live credentials are expected as constants and are never written to the database.
*
* @package ESP\Instanda