fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation

Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.

- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
  data/.encryption_key if not set, same pattern as JWT_SECRET);
  switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
  CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
  ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
  persists it to data/.jwt_secret, updates the live in-process binding
  via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
  with a confirmation modal warning that all sessions will be
  invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
  secret.yaml, deployment.yaml, NOTES.txt, README): document
  ENCRYPTION_KEY and its upgrade migration path

chart/README.md

@@ -29,5 +29,6 @@ See `values.yaml` for more options.
 ## Notes
 - Ingress is off by default. Enable and configure hosts for your domain.
 - PVCs require a default StorageClass or specify one as needed.
-- JWT_SECRET must be set for production use.
+- `JWT_SECRET` should be set for production use; auto-generated and persisted to the data PVC if not provided.
+- `ENCRYPTION_KEY` encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Auto-generated and persisted to the data PVC if not provided. **Upgrading:** if a previous version used `JWT_SECRET`-derived encryption, set `secretEnv.ENCRYPTION_KEY` to your old `JWT_SECRET` value to keep existing encrypted data readable, then re-save credentials via the admin panel.
 - If using ingress, you must manually keep `env.ALLOWED_ORIGINS` and `ingress.hosts` in sync to ensure CORS works correctly. The chart does not sync these automatically.

chart/templates/NOTES.txt

@@ -1,13 +1,18 @@
-1. JWT_SECRET handling:
-   - By default, the chart creates a secret with the value from `values.yaml: secretEnv.JWT_SECRET`.
-   - To generate a random JWT_SECRET at install, set `generateJwtSecret: true`.
-   - To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must have a key matching `existingSecretKey` (defaults to `JWT_SECRET`).
+1. Secret handling (JWT_SECRET and ENCRYPTION_KEY):
+   - By default, the chart creates a Kubernetes Secret from the values in `secretEnv.JWT_SECRET` and `secretEnv.ENCRYPTION_KEY`.
+   - To generate random values for both at install (preserved across upgrades), set `generateJwtSecret: true`.
+   - To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must contain a key matching `existingSecretKey` (defaults to `JWT_SECRET`) and optionally an `ENCRYPTION_KEY` key. If `ENCRYPTION_KEY` is absent from the external secret, the server auto-generates and persists it to the data volume.
 
-2. Example usage:
-   - Set a custom secret: `--set secretEnv.JWT_SECRET=your_secret`
-   - Generate a random secret: `--set generateJwtSecret=true`
+2. ENCRYPTION_KEY notes:
+   - Encrypts stored API keys, MFA secrets, SMTP password, and OIDC client secret at rest.
+   - If left empty, auto-generated by the server and saved to the data PVC — safe as long as the PVC persists.
+   - Upgrading from a version that used JWT_SECRET for encryption: set `secretEnv.ENCRYPTION_KEY` to your old JWT_SECRET value to keep existing encrypted data readable, then re-save credentials via the admin panel.
+
+3. Example usage:
+   - Set explicit secrets: `--set secretEnv.JWT_SECRET=your_secret --set secretEnv.ENCRYPTION_KEY=your_enc_key`
+   - Generate random secrets: `--set generateJwtSecret=true`
    - Use an existing secret: `--set existingSecret=my-k8s-secret`
-   - Use a custom key in the existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_KEY`
+   - Use a custom key for JWT in existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_JWT_KEY`
 
-3. Only one method should be used at a time. If both `generateJwtSecret` and `existingSecret` are set, `existingSecret` takes precedence.
-   If using `existingSecret`, ensure the referenced secret and key exist in the target namespace.
+4. Only one method should be used at a time. If both `generateJwtSecret` and `existingSecret` are set, `existingSecret` takes precedence.
+   If using `existingSecret`, ensure the referenced secret and keys exist in the target namespace.

chart/templates/deployment.yaml

@@ -41,6 +41,12 @@ spec:
                 secretKeyRef:
                   name: {{ default (printf "%s-secret" (include "trek.fullname" .)) .Values.existingSecret }}
                   key: {{ .Values.existingSecretKey | default "JWT_SECRET" }}
+            - name: ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (printf "%s-secret" (include "trek.fullname" .)) .Values.existingSecret }}
+                  key: ENCRYPTION_KEY
+                  optional: true
           volumeMounts:
             - name: data
               mountPath: /app/data

chart/templates/secret.yaml

@@ -8,6 +8,7 @@ metadata:
 type: Opaque
 data:
   {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ .Values.secretEnv.JWT_SECRET | b64enc | quote }}
+  ENCRYPTION_KEY: {{ .Values.secretEnv.ENCRYPTION_KEY | b64enc | quote }}
 {{- end }}
 
 {{- if and (not .Values.existingSecret) (.Values.generateJwtSecret) }}
@@ -23,7 +24,9 @@ type: Opaque
 stringData:
   {{- if and $existingSecret $existingSecret.data }}
   {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ index $existingSecret.data (.Values.existingSecretKey | default "JWT_SECRET") | b64dec }}
+  ENCRYPTION_KEY: {{ index $existingSecret.data "ENCRYPTION_KEY" | b64dec }}
   {{- else }}
   {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ randAlphaNum 32 }}
+  ENCRYPTION_KEY: {{ randAlphaNum 32 }}
   {{- end }}
 {{- end }}

chart/values.yaml

@@ -19,15 +19,22 @@ env:
 # NOTE: If using ingress, ensure env.ALLOWED_ORIGINS matches the domains in ingress.hosts for proper CORS configuration.
 
 
-# JWT secret configuration
+# Secret environment variables stored in a Kubernetes Secret
 secretEnv:
-  # If set, use this value for JWT_SECRET (base64-encoded in secret.yaml)
+  # JWT signing secret. Auto-generated and persisted to the data PVC if not set.
   JWT_SECRET: ""
+  # At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC, etc.).
+  # Auto-generated and persisted to the data PVC if not set.
+  # Upgrading from a version that used JWT_SECRET for encryption: set this to your
+  # old JWT_SECRET value to keep existing encrypted data readable, then re-save
+  # credentials via the admin panel and rotate to a fresh random key.
+  ENCRYPTION_KEY: ""
 
-# If true, a random JWT_SECRET will be generated during install (overrides secretEnv.JWT_SECRET)
+# If true, random values for JWT_SECRET and ENCRYPTION_KEY are generated at install
+# and preserved across upgrades (overrides secretEnv values)
 generateJwtSecret: false
 
-# If set, use an existing Kubernetes secret for JWT_SECRET
+# If set, use an existing Kubernetes secret for JWT_SECRET (and optionally ENCRYPTION_KEY)
 existingSecret: ""
 existingSecretKey: JWT_SECRET