docs(runbooks): add MEK rotation and secret-management runbooks

Sprint B — closes audit items B4 and B5. - docs/runbooks/MEK_ROTATION.md: step-by-step procedure for rotating the field-encrypt master key in Azure Key Vault, including pre-flight checks, rewrapAllDeks usage, verification queries, rollback, and lost-MEK recovery. Replaces the previous gap where MEK rotation had no documented operator path. - docs/runbooks/SECRET_MANAGEMENT.md: inventory of every secret consumed by NoteLett with its production source (AKV), two production-grade patterns (workload identity vs K8s CSI), the compose-host pattern, rotation flow per secret type, verification commands, and red-flag triage. Both docs cross-link each other and call out concrete open items (automation, dual-JWT support, audit-log emission) for later sprints rather than overstating current capabilities.
2026-05-22 23:23:38 -07:00 · 2026-05-22 23:23:38 -07:00 · bcad7d330a
commit bcad7d330a
parent 1258d49488
2 changed files with 271 additions and 0 deletions
--- a/docs/runbooks/MEK_ROTATION.md
+++ b/docs/runbooks/MEK_ROTATION.md
@ -0,0 +1,135 @@
 # Runbook — MEK (Master Encryption Key) Rotation
 > **Owner:** Platform / Security
 > **Touches:** `@bytelyst/field-encrypt`, Azure Key Vault, NoteLett backend (port 4016)
 > **Risk:** Medium — operates on encrypted Cosmos documents. A failure mid-rewrap leaves DEKs wrapped under a mix of old and new MEK versions, which is recoverable but requires the old MEK to remain readable until rotation completes.
 ## Background
 NoteLett uses envelope encryption from `@bytelyst/field-encrypt`:
 - **MEK** (Master Encryption Key) lives in Azure Key Vault (or `FIELD_ENCRYPT_KEY` env in non-prod).
 - **DEKs** (per-document Data Encryption Keys) are wrapped by the MEK and stored in the Cosmos `dek_store` container.
 - Encrypted fields on note documents carry a `dekId` plus a `mekVersion` so the backend can find the right DEK and the right MEK version.
 Rotation means: keep all encrypted document fields unchanged, generate a **new MEK version**, and **rewrap every DEK** so future reads use the new MEK. Old documents are never re-encrypted — only the DEK wrapping layer changes.
 ## Pre-flight Checklist
 - [ ] Confirm `FIELD_ENCRYPT_ENABLED=true` in the target environment.
 - [ ] Confirm `FIELD_ENCRYPT_KEY_PROVIDER=akv` and `AZURE_KEYVAULT_URL` is set in production.
 - [ ] Confirm the operator running rotation has both `keys/wrapKey` and `keys/unwrapKey` permissions on the target AKV key.
 - [ ] Take a Cosmos DB snapshot or enable point-in-time restore on the `dek_store` container (and any container holding encrypted documents).
 - [ ] Confirm there are no in-flight migrations from `scripts/encrypt-migrate.ts` running against this environment.
 - [ ] Notify on-call channel; rotation should be scheduled in a low-traffic window because the rewrap loop holds the DEK cache invalidated.
 ## Rotation Procedure
 ### Step 1 — Create a new MEK version in AKV
 ```bash
 # Azure CLI example: create a new version of the existing key.
 az keyvault key create \
  --vault-name "<vault-name>" \
  --name "notelett-mek" \
  --kty RSA \
  --size 4096
 ```
 The Key Vault returns a new version identifier. Record it — you will need it to verify rotation in Step 4.
 ### Step 2 — Roll the backend with both MEK versions readable
 Update the running deployment so that:
 - `AZURE_KEYVAULT_URL` continues to point at the same vault.
 - `FIELD_ENCRYPT_MEK_NAME` continues to point at the same key name (`notelett-mek`).
 - The new version is now the **latest** version on the AKV key; the previous version is still **enabled** so old wrapped DEKs can be unwrapped.
 The AKV-backed `KeyProvider` resolves `mekVersion` from the wrapped-DEK record, so older DEKs continue to unwrap correctly during the transition.
 ### Step 3 — Run `rewrapAllDeks`
 Use the cross-product CLI from common-plat:
 ```bash
 cd ../learning_ai_common_plat
 pnpm --filter @bytelyst/scripts run encrypt-migrate -- \
  --product notelett \
  --mode rewrap-deks \
  --old-mek-version <OLD_VERSION_ID> \
  --new-mek-version <NEW_VERSION_ID>
 ```
 This iterates every wrapped DEK in the `dek_store` container, unwraps with the old MEK version, rewraps with the new MEK version, and writes the updated wrapped DEK back. The `DekCache` is invalidated entry-by-entry so live traffic immediately picks up the new wrap.
 Progress is logged. Re-run is **idempotent**: DEKs whose `mekVersion` already matches the new target are skipped.
 ### Step 4 — Verify
 ```bash
 # 1. Confirm health and dependency readiness against the rotated environment.
 curl https://<backend-host>/health
 curl https://<backend-host>/api/diagnostics/readiness
 # 2. Confirm at least one read of an encrypted note succeeds after rotation.
 curl -H "Authorization: Bearer <token>" https://<backend-host>/api/notes/<noteId>?workspaceId=<workspaceId>
 # 3. Spot-check `dek_store`: every wrapped DEK should report the new mekVersion.
 # Sample query in Cosmos Data Explorer:
 #   SELECT VALUE COUNT(1) FROM c WHERE c.mekVersion != "<NEW_VERSION_ID>"
 # Expected: 0
 ```
 ### Step 5 — Disable the old MEK version
 After verification and a soak period (recommended: 24 hours of normal traffic), disable the old key version in AKV so it can no longer be used to unwrap.
 ```bash
 az keyvault key set-attributes \
  --vault-name "<vault-name>" \
  --name "notelett-mek" \
  --version "<OLD_VERSION_ID>" \
  --enabled false
 ```
 Do **not** delete the old version — keep it disabled for at least 30 days so a backup restore that contains old wrapped DEKs can still be recovered.
 ## Rollback
 If rewrap fails partway:
 1. Stop the rewrap job.
 2. Leave the old MEK version **enabled** in AKV.
 3. The backend continues to serve traffic — DEKs that were already rewrapped resolve via the new version, DEKs that were not yet rewrapped resolve via the old version.
 4. Investigate the failure (typically AKV throttling or transient Cosmos errors), then re-run the same command. It will skip DEKs already rewrapped.
 If a document fails to decrypt after rotation:
 1. Inspect the encrypted field — it carries the `dekId` it expects.
 2. Inspect the `dek_store` row for that `dekId` — confirm `mekVersion` is the new version.
 3. If the row is missing, restore the most recent Cosmos snapshot of `dek_store`.
 4. **Never** rotate the field's `dekId` manually; the field-encrypt library owns that lifecycle.
 ## Recovery From Lost MEK
 If the AKV key (all versions) is unrecoverable:
 - All envelope-encrypted documents are unrecoverable.
 - Restore from the most recent Cosmos snapshot taken **before** the loss.
 - Re-key from that snapshot by:
  1. Provisioning a new AKV key.
  2. Running `scripts/encrypt-migrate.ts` in `re-encrypt` mode (not `rewrap-deks`) so a fresh DEK is generated for every document.
 ## Open Items
 - **Automation:** rotation is manual today. A scheduled monthly rotation via a controlled GitHub Action with AKV federated credentials is tracked in the production-hardening backlog.
 - **Audit trail:** the rewrap CLI writes structured logs but does not yet emit a domain event to `actiontrail`. Tracked separately.
 ## References
 - Package helper: `../learning_ai_common_plat/packages/field-encrypt/src/envelope.ts` — `rewrapAllDeks`
 - Cross-product CLI: `../learning_ai_common_plat/scripts/encrypt-migrate.ts`
 - Backend config: [`backend/src/lib/config.ts`](../backend/src/lib/config.ts) — `FIELD_ENCRYPT_*` env vars
 - Backend bootstrap: [`backend/src/lib/field-encrypt.ts`](../backend/src/lib/field-encrypt.ts) — `initEncryption()`
 - Related: [`docs/DATA_MIGRATION_AND_BACKFILL_PLAN.md`](../DATA_MIGRATION_AND_BACKFILL_PLAN.md) — initial backfill procedure
--- a/docs/runbooks/SECRET_MANAGEMENT.md
+++ b/docs/runbooks/SECRET_MANAGEMENT.md
@ -0,0 +1,136 @@
 # Runbook — Secret Management for NoteLett
 > **Owner:** Platform / Security
 > **Touches:** backend container (port 4016), web container (port 3000), Azure Key Vault, deployment platform
 > **Audience:** anyone deploying NoteLett to a non-development environment
 ## Principles
 - Never commit a secret to git, never bake one into a Docker image.
 - Every secret has exactly one source of truth — Azure Key Vault (AKV) in production.
 - The container reads secrets at process start, never from disk on the runtime host.
 - Rotation is non-disruptive: rolling a deployment after rotating the secret is enough.
 ## Secret Inventory
 | Variable | Required when | Source of truth (prod) | Source (dev) |
 |---|---|---|---|
 | `JWT_SECRET` | always (validated ≥ 32 chars in prod) | AKV secret `notelett-jwt-secret` | `.env` (dev default rejected in prod) |
 | `COSMOS_ENDPOINT` | `DB_PROVIDER=cosmos` | AKV secret `bytelyst-cosmos-endpoint` | `.env` |
 | `COSMOS_KEY` | `DB_PROVIDER=cosmos` | AKV secret `bytelyst-cosmos-key` | `.env` |
 | `AZURE_KEYVAULT_URL` | `FIELD_ENCRYPT_KEY_PROVIDER=akv` | Static config (URL, not a secret) | `.env` |
 | `FIELD_ENCRYPT_KEY` | `FIELD_ENCRYPT_KEY_PROVIDER=env` (non-prod only) | n/a — prod uses AKV | `.env` |
 | `OPENAI_API_KEY` | `LLM_PROVIDER=openai` | AKV secret `notelett-openai-api-key` | `.env` |
 | `OPENAI_BASE_URL` | optional override | Static config (URL, not a secret) | `.env` |
 | `AZURE_OPENAI_API_KEY` | `LLM_PROVIDER=azure` | AKV secret `notelett-azure-openai-key` | `.env` |
 | `AZURE_OPENAI_ENDPOINT` | `LLM_PROVIDER=azure` | Static config (URL, not a secret) | `.env` |
 | `GITEA_NPM_TOKEN` | Docker build only (when not using `docker-prep.sh` tarballs) | CI secret | `~/.npmrc` |
 `backend/src/lib/config.ts` enforces production assertions for the four hardest constraints: `JWT_SECRET` must not be the dev default and must be ≥ 32 chars, `DB_PROVIDER` must be `cosmos`, Cosmos endpoint/key/database must be set, and field encryption must be enabled with `akv` or `env` provider (never `memory`).
 ## Production Pattern — Azure Key Vault
 Two supported flows depending on the deployment target:
 ### Flow A — Workload Identity (preferred)
 1. The backend container runs under a Managed Identity (Azure Container Apps, AKS, or App Service).
 2. The Managed Identity has `secrets/get` and `keys/{wrapKey, unwrapKey}` permissions on the NoteLett key vault.
 3. At process start, an init step resolves secrets from AKV and exports them as env vars in the process scope only:
   ```bash
   # entrypoint snippet (illustrative)
   eval "$(node -e "
     import('@azure/identity').then(({ DefaultAzureCredential }) =>
       import('@azure/keyvault-secrets').then(async ({ SecretClient }) => {
         const c = new SecretClient(process.env.AZURE_KEYVAULT_URL, new DefaultAzureCredential());
         for (const name of ['notelett-jwt-secret','bytelyst-cosmos-key','notelett-openai-api-key']) {
           const v = (await c.getSecret(name)).value;
           process.stdout.write(`export ${name.replace(/-/g,'_').toUpperCase()}='${v}'\n`);
         }
       })
     )"
   )"
   exec node dist/server.js
   ```
   In `@bytelyst/config` this is encapsulated by `resolveKeyVaultSecrets(...)` (see common-plat). Use that helper instead of writing inline glue.
 4. Secrets never touch the container filesystem and never appear in logs (they live in process env only).
 ### Flow B — Kubernetes Secret synced from AKV
 1. Use the AKV CSI driver or `secrets-store.csi.k8s.io` to project AKV secrets into a Kubernetes Secret.
 2. Reference the K8s Secret in the Deployment via `envFrom` so values land in the container env.
 3. Rotate by recreating the Pod after the secret syncs.
 ## Deployment Pattern — `docker-compose.yml`
 The committed `docker-compose.yml` reads from the host shell env (`${OPENAI_API_KEY:-}` etc.) and from a local `.env`. For production-like single-host deploys:
 1. Place secrets in a file owned by the deployer with `chmod 600`, never in git.
 2. Source it before `docker compose up`:
   ```bash
   set -a
   source /etc/notelett/secrets.env
   set +a
   docker compose up -d
   ```
 3. Avoid `--env-file` on the `docker compose` command line — it persists the path in process listings and is harder to rotate.
 4. After deploy, scrub `/etc/notelett/secrets.env` from any shell history (`history -d`) and confirm `docker compose config` does not leak the secret values to logs.
 ## Rotation
 Rotation pattern for any AKV-backed secret:
 1. Update the AKV secret with a new version (`az keyvault secret set ...`).
 2. Roll the backend deployment (rolling restart picks up the new value at process start).
 3. For `JWT_SECRET`: rotation invalidates all outstanding access tokens. Plan for forced re-auth or implement dual-secret support before rotating in production.
 4. For `OPENAI_API_KEY` / `AZURE_OPENAI_API_KEY`: rotation is hot — in-flight LLM calls complete with the old key; new calls use the new key after restart.
 5. For `COSMOS_KEY`: prefer rotating the **secondary** key first, swap the deployment to use it, then rotate the primary.
 MEK rotation has its own runbook: [`MEK_ROTATION.md`](./MEK_ROTATION.md).
 ## Verification
 After any rotation or initial deploy:
 ```bash
 # 1. Service health.
 curl https://<backend-host>/health
 # 2. Dependency readiness (datastore + encryption + platform/extraction/MCP if configured).
 curl https://<backend-host>/api/diagnostics/readiness
 # 3. Authenticated note read (proves JWT_SECRET and Cosmos creds are wired).
 curl -H "Authorization: Bearer <token>" https://<backend-host>/api/notes?workspaceId=<ws>
 # 4. LLM smoke (proves OPENAI_API_KEY or AZURE_OPENAI_API_KEY are wired, if LLM_PROVIDER != mock).
 curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
  -d '{"workspaceId":"<ws>","noteId":"<noteId>","transform":"shorten"}' \
  https://<backend-host>/api/notes/copilot/transform
 ```
 If any returns 5xx, check the structured log line for a missing-secret error before re-rotating.
 ## Red Flags
 - A secret value appearing in `req.log` or `app.log` output. **Stop, rotate, and audit.**
 - A secret committed to git. Use `git filter-repo` to scrub, force-push (coordinate with the team), and rotate the secret immediately.
 - Two pods seeing different secret values. Indicates a partial K8s rollout — finish the rollout before traffic is sent to the new version.
 - `FIELD_ENCRYPT_KEY_PROVIDER=memory` in production. The backend will refuse to start, but if it slips through (e.g. with `NODE_ENV` set to something other than `production`), all encrypted documents are unrecoverable on restart.
 ## Open Items
 - **Centralized rotation calendar.** Tracked in production-hardening backlog: schedule per-secret cadence (90 days for `OPENAI_API_KEY`, 365 days for `JWT_SECRET`, etc.).
 - **Audit log integration.** Emit a `secret.rotated` event to `actiontrail` after each rotation. Currently rotation is logged only in AKV's own audit feed.
 - **Dual-JWT support.** Today `JWT_SECRET` rotation invalidates outstanding tokens; planned: support `JWT_SECRET_NEXT` for graceful transitions.
 ## References
 - Config validation: [`backend/src/lib/config.ts`](../../backend/src/lib/config.ts)
 - AKV-backed encryption provider: `../learning_ai_common_plat/packages/field-encrypt/src/key-provider-akv.ts`
 - Shared secret resolver: `../learning_ai_common_plat/packages/config/src/akv.ts`
 - Related: [`MEK_ROTATION.md`](./MEK_ROTATION.md)