Phase 1 encryption hardening: logging, transport, secrets, and object storage

easterbrooka ran an encryption review and landed the changes that didn't require a key-management redesign first. The pass covers PII scrubbing from logs, transport hardening, download-link signing decoupled from the Supabase secret key, and server-side encryption on S3 puts.

securityinfrastructure

On data leakage: request and error logs were scrubbed of PII, key prefixes, and auth headers. The /system/llm-providers endpoint that reports which models are available was reduced to booleans - it can no longer expose partial key content. The frontend lost its silent fallback to a hardcoded host; the API base URL is now required via environment variable, which forces deployment configuration to be explicit.

Transport gets helmet middleware and HSTS on the backend. Download-link signing is decoupled from the Supabase service-role key - a new dedicated signing secret lives in Secrets Manager and is wired through a new ECS task definition. Future Supabase key rotations no longer silently break signed links already sitting in chat history. Object storage now applies server-side encryption on every S3 put, using SSE-S3 as the fallback until KMS lands in Phase 2.

A dead service-role helper was also removed, which clears the path to pulling the Supabase secret key out of the Amplify frontend environment entirely.

easterbrooka deferred two things explicitly: token TTLs and user-binding on download links need a rendering refactor first because those links persist in message history. Pre-existing lint issues are on a separate branch. Infrastructure changes - the new Secrets Manager secret, the rolled ECS task definition, and the Supabase key rotation - were applied out of band in production before merge, with staging validated against a live Supabase project and MinIO.

So what Worth reviewing if you're preparing for a security audit or running mike with real client data. The logging scrub and transport changes are low-risk to adopt. The download-signing decoupling requires the Secrets Manager setup; if you're not on AWS ECS, that piece needs adaptation. The deferred items (link TTLs, lint) are documented, which makes it easier to pick up where this left off.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?