Phase 1 encryption hardening: logging, transport, secrets, and object storage
easterbrooka ran an encryption review and landed the changes that didn't require a key-management redesign first. The pass covers PII scrubbing from logs, transport hardening, download-link signing decoupled from the Supabase secret key, and server-side encryption on S3 puts.
On data leakage: request and error logs were scrubbed of PII, key prefixes, and auth headers. The /system/llm-providers endpoint that reports which models are available was reduced to booleans - it can no longer expose partial key content. The frontend lost its silent fallback to a hardcoded host; the API base URL is now required via environment variable, which forces deployment configuration to be explicit.
Transport gets helmet middleware and HSTS on the backend. Download-link signing is decoupled from the Supabase service-role key - a new dedicated signing secret lives in Secrets Manager and is wired through a new ECS task definition. Future Supabase key rotations no longer silently break signed links already sitting in chat history. Object storage now applies server-side encryption on every S3 put, using SSE-S3 as the fallback until KMS lands in Phase 2.
A dead service-role helper was also removed, which clears the path to pulling the Supabase secret key out of the Amplify frontend environment entirely.
easterbrooka deferred two things explicitly: token TTLs and user-binding on download links need a rendering refactor first because those links persist in message history. Pre-existing lint issues are on a separate branch. Infrastructure changes - the new Secrets Manager secret, the rolled ECS task definition, and the Supabase key rotation - were applied out of band in production before merge, with staging validated against a live Supabase project and MinIO.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?