fix(instanda): set env on go-live, correct secrets docblock, add feed advisory
- F-03: switch_to_live() now sets espinstanda_env=live so environment() actually resolves to Live after go-live (was leaving real quotes on the Test endpoint). - F-04: correct the class-config docblock overstating the at-rest guarantee; it only holds when SPG_INSTANDA_KEY is a constant (else the key is self-provisioned into the same DB as the ciphertext). - F-02: add advisory A5 "exactly one active INSTANDA feed" to catch a stray test-form feed that also creates quotes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -9,8 +9,11 @@
|
||||
* an explicit, gated switch to Live - see the Go-Live checklist.
|
||||
*
|
||||
* Secrets entered in the admin UI are encrypted at rest with libsodium
|
||||
* (sodium_crypto_secretbox, XSalsa20-Poly1305). The key comes from the
|
||||
* SPG_INSTANDA_KEY constant, so a database dump alone never exposes a usable secret.
|
||||
* (sodium_crypto_secretbox, XSalsa20-Poly1305). The "a database dump alone never
|
||||
* exposes a usable secret" guarantee holds ONLY when the SPG_INSTANDA_KEY constant is
|
||||
* set: without it the key is self-provisioned into the DB (see db_key()), so the key
|
||||
* and ciphertext live in the same database and a dump recovers the password. Set
|
||||
* SPG_INSTANDA_KEY (and the credential constants) in production for the hardened posture.
|
||||
* Live credentials are expected as constants and are never written to the database.
|
||||
*
|
||||
* @package ESP\Instanda
|
||||
|
||||
Reference in New Issue
Block a user