fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation

Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.

- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
  data/.encryption_key if not set, same pattern as JWT_SECRET);
  switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
  CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
  ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
  persists it to data/.jwt_secret, updates the live in-process binding
  via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
  with a confirmation modal warning that all sessions will be
  invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
  secret.yaml, deployment.yaml, NOTES.txt, README): document
  ENCRYPTION_KEY and its upgrade migration path

server/src/config.ts

@@ -2,19 +2,19 @@ import crypto from 'crypto';
 import fs from 'fs';
 import path from 'path';
 
-let JWT_SECRET: string = process.env.JWT_SECRET || '';
+let _jwtSecret: string = process.env.JWT_SECRET || '';
 
-if (!JWT_SECRET) {
+if (!_jwtSecret) {
   const dataDir = path.resolve(__dirname, '../data');
   const secretFile = path.join(dataDir, '.jwt_secret');
 
   try {
-    JWT_SECRET = fs.readFileSync(secretFile, 'utf8').trim();
+    _jwtSecret = fs.readFileSync(secretFile, 'utf8').trim();
   } catch {
-    JWT_SECRET = crypto.randomBytes(32).toString('hex');
+    _jwtSecret = crypto.randomBytes(32).toString('hex');
     try {
       if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-      fs.writeFileSync(secretFile, JWT_SECRET, { mode: 0o600 });
+      fs.writeFileSync(secretFile, _jwtSecret, { mode: 0o600 });
       console.log('Generated and saved JWT secret to', secretFile);
     } catch (writeErr: unknown) {
       console.warn('WARNING: Could not persist JWT secret to disk:', writeErr instanceof Error ? writeErr.message : writeErr);
@@ -25,4 +25,45 @@ if (!JWT_SECRET) {
 
 const JWT_SECRET_IS_GENERATED = !process.env.JWT_SECRET;
 
-export { JWT_SECRET, JWT_SECRET_IS_GENERATED };
+// export let so TypeScript's CJS output keeps exports.JWT_SECRET live
+// (generates `exports.JWT_SECRET = JWT_SECRET = newVal` inside updateJwtSecret)
+export let JWT_SECRET = _jwtSecret;
+
+// Called by the admin rotate-jwt-secret endpoint to update the in-process
+// binding that all middleware and route files reference.
+export function updateJwtSecret(newSecret: string): void {
+  JWT_SECRET = newSecret;
+}
+
+// ENCRYPTION_KEY is used to derive at-rest encryption keys for stored secrets
+// (API keys, MFA TOTP secrets, SMTP password, OIDC client secret, etc.).
+// Keeping it separate from JWT_SECRET means you can rotate session tokens without
+// invalidating all stored encrypted data, and vice-versa.
+//
+// Upgrade note: if you already have encrypted data stored under a previous build
+// that used JWT_SECRET for encryption, set ENCRYPTION_KEY to the value of your
+// old JWT_SECRET so existing encrypted values continue to decrypt correctly.
+// After re-saving all credentials via the admin panel you can switch to a new
+// random ENCRYPTION_KEY.
+let ENCRYPTION_KEY: string = process.env.ENCRYPTION_KEY || '';
+
+if (!ENCRYPTION_KEY) {
+  const dataDir = path.resolve(__dirname, '../data');
+  const keyFile = path.join(dataDir, '.encryption_key');
+
+  try {
+    ENCRYPTION_KEY = fs.readFileSync(keyFile, 'utf8').trim();
+  } catch {
+    ENCRYPTION_KEY = crypto.randomBytes(32).toString('hex');
+    try {
+      if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+      fs.writeFileSync(keyFile, ENCRYPTION_KEY, { mode: 0o600 });
+      console.log('Generated and saved encryption key to', keyFile);
+    } catch (writeErr: unknown) {
+      console.warn('WARNING: Could not persist encryption key to disk:', writeErr instanceof Error ? writeErr.message : writeErr);
+      console.warn('Encrypted secrets will be unreadable after restart. Set ENCRYPTION_KEY env var for persistent encryption.');
+    }
+  }
+}
+
+export { JWT_SECRET_IS_GENERATED, ENCRYPTION_KEY };

server/src/routes/admin.ts

@@ -10,6 +10,7 @@ import { writeAudit, getClientIp, logInfo } from '../services/auditLog';
 import { getAllPermissions, savePermissions, PERMISSION_ACTIONS } from '../services/permissions';
 import { revokeUserSessions } from '../mcp';
 import { maybe_encrypt_api_key, decrypt_api_key } from '../services/apiKeyCrypto';
+import { updateJwtSecret } from '../config';
 
 const router = express.Router();
 
@@ -559,4 +560,28 @@ router.delete('/mcp-tokens/:id', (req: Request, res: Response) => {
   res.json({ success: true });
 });
 
+router.post('/rotate-jwt-secret', (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const newSecret = crypto.randomBytes(32).toString('hex');
+  const dataDir = path.resolve(__dirname, '../../data');
+  const secretFile = path.join(dataDir, '.jwt_secret');
+  try {
+    if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+    fs.writeFileSync(secretFile, newSecret, { mode: 0o600 });
+  } catch (err: unknown) {
+    return res.status(500).json({ error: 'Failed to persist new JWT secret to disk' });
+  }
+  updateJwtSecret(newSecret);
+  writeAudit({
+    user_id: authReq.user?.id ?? null,
+    username: authReq.user?.username ?? 'unknown',
+    action: 'admin.rotate_jwt_secret',
+    target_type: 'system',
+    target_id: null,
+    details: null,
+    ip: getClientIp(req),
+  });
+  res.json({ success: true });
+});
+
 export default router;

server/src/services/apiKeyCrypto.ts

@@ -1,10 +1,10 @@
 import * as crypto from 'crypto';
-import { JWT_SECRET } from '../config';
+import { ENCRYPTION_KEY } from '../config';
 
 const ENCRYPTED_PREFIX = 'enc:v1:';
 
 function get_key() {
-  return crypto.createHash('sha256').update(`${JWT_SECRET}:api_keys:v1`).digest();
+  return crypto.createHash('sha256').update(`${ENCRYPTION_KEY}:api_keys:v1`).digest();
 }
 
 export function encrypt_api_key(plain: unknown) {

server/src/services/mfaCrypto.ts

@@ -1,8 +1,8 @@
 import crypto from 'crypto';
-import { JWT_SECRET } from '../config';
+import { ENCRYPTION_KEY } from '../config';
 
 function getKey(): Buffer {
-  return crypto.createHash('sha256').update(`${JWT_SECRET}:mfa:v1`).digest();
+  return crypto.createHash('sha256').update(`${ENCRYPTION_KEY}:mfa:v1`).digest();
 }
 
 /** Encrypt TOTP secret for storage in SQLite. */