fix: align Go/Python HKDF constants, deduplicate encryption actions, extract metadata keys

- Fix critical HKDF salt/info mismatch between Go and Python crypto modules
  that would produce different KEKs for the same input
- Replace raw fetch with AcontextClient in encrypt/decrypt server actions
  and deduplicate into shared toggleProjectEncryption helper
- Remove redundant encryptionEnabled parameter from rotateSecretKey
  (now derived from project record fetched server-side)
- Extract MetaKeyAlgo/MetaKeyDEKUser constants and ClearEncryptionMetadata
  helper from crypto package; replace hard-coded strings in s3.go
- Remove unused EncodeBase64/DecodeBase64 wrappers and WHAT-comments

Author: GenerQAQ

dashboard/app/project/[id]/api-keys/actions.ts

@@ -59,7 +59,7 @@ export async function getSecretKeyHistory(projectId: string) {
  * Rotate (generate new) secret key for a project
  * Returns the full key for one-time display
  */
-export async function rotateSecretKey(projectId: string, encryptionEnabled: boolean, apiKey?: string) {
+export async function rotateSecretKey(projectId: string, apiKey?: string) {
   // Get current user (will redirect if not authenticated)
   const user = await getCurrentUser();
 
@@ -85,18 +85,15 @@ export async function rotateSecretKey(projectId: string, encryptionEnabled: bool
   }
 
   try {
-    // Call API to generate new secret key
     // Encrypted projects must use Bearer route to preserve master key
-    // Non-encrypted projects can use either route
     const client = new AcontextClient();
     let fullSecretKey: string;
-    if (encryptionEnabled) {
+    if (project.encryption_enabled) {
       if (!apiKey) {
         return { error: "Encrypted projects require a saved API key to rotate. Please save your API key first." };
       }
       fullSecretKey = await client.rotateProjectSecretKey(apiKey);
     } else if (apiKey) {
-      // Prefer Bearer route when API key is available (preserves master key)
       fullSecretKey = await client.rotateProjectSecretKey(apiKey);
     } else {
       fullSecretKey = await client.rotateProjectSecretKeyAdmin(projectId);

dashboard/app/project/[id]/api-keys/api-keys-page-client.tsx

@@ -166,7 +166,6 @@ console.log(await client.ping());`,
     startTransition(async () => {
       const result = await rotateSecretKey(
         project.id,
-        project.encryption_enabled ?? false,
         savedApiKey ?? undefined,
       );
       if (result.error) {

dashboard/app/project/[id]/settings/general/actions.ts

@@ -146,9 +146,10 @@ export async function getProjectConfigs(
   }
 }
 
-export async function encryptProjectAction(
+async function toggleProjectEncryption(
   projectId: string,
-  apiKey: string
+  apiKey: string,
+  action: "encrypt" | "decrypt"
 ): Promise<{ success?: boolean; error?: string }> {
   try {
     await getCurrentUser();
@@ -166,17 +167,14 @@ export async function encryptProjectAction(
       return { error: "Project not found or access denied" };
     }
     if (membership.role !== "owner") {
-      return { error: "Only organization owners can enable encryption" };
+      return { error: `Only organization owners can ${action === "encrypt" ? "enable" : "disable"} encryption` };
     }
 
-    const baseUrl = process.env.ACONTEXT_API_BASE_URL ?? "https://admin.acontext.app";
-    const resp = await fetch(`${baseUrl}/admin/v1/project/encrypt`, {
-      method: "POST",
-      headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
-    });
-    if (!resp.ok) {
-      const body = await resp.json().catch(() => ({}));
-      throw new Error(body.msg || `HTTP ${resp.status}`);
+    const client = new AcontextClient();
+    if (action === "encrypt") {
+      await client.encryptProject(projectId, apiKey);
+    } else {
+      await client.decryptProject(projectId, apiKey);
     }
 
     const encodedProjectId = encodeId(projectId);
@@ -185,53 +183,23 @@ export async function encryptProjectAction(
     return { success: true };
   } catch (error) {
     return {
-      error: `Failed to encrypt project: ${error instanceof Error ? error.message : "Unknown error"}`,
+      error: `Failed to ${action} project: ${error instanceof Error ? error.message : "Unknown error"}`,
     };
   }
 }
 
-export async function decryptProjectAction(
+export async function encryptProjectAction(
   projectId: string,
   apiKey: string
 ): Promise<{ success?: boolean; error?: string }> {
-  try {
-    await getCurrentUser();
-
-    const project = await getProject(projectId);
-    if (!project) {
-      return { error: "Project not found" };
-    }
-
-    const membership = await getOrganizationMembershipForCurrentUser(
-      project.organization_id,
-      "role"
-    );
-    if (!membership) {
-      return { error: "Project not found or access denied" };
-    }
-    if (membership.role !== "owner") {
-      return { error: "Only organization owners can disable encryption" };
-    }
-
-    const baseUrl = process.env.ACONTEXT_API_BASE_URL ?? "https://admin.acontext.app";
-    const resp = await fetch(`${baseUrl}/admin/v1/project/decrypt`, {
-      method: "POST",
-      headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
-    });
-    if (!resp.ok) {
-      const body = await resp.json().catch(() => ({}));
-      throw new Error(body.msg || `HTTP ${resp.status}`);
-    }
-
-    const encodedProjectId = encodeId(projectId);
-    revalidatePath(`/project/${encodedProjectId}`, "layout");
+  return toggleProjectEncryption(projectId, apiKey, "encrypt");
+}
 
-    return { success: true };
-  } catch (error) {
-    return {
-      error: `Failed to decrypt project: ${error instanceof Error ? error.message : "Unknown error"}`,
-    };
-  }
+export async function decryptProjectAction(
+  projectId: string,
+  apiKey: string
+): Promise<{ success?: boolean; error?: string }> {
+  return toggleProjectEncryption(projectId, apiKey, "decrypt");
 }
 
 export async function updateProjectConfigs(

src/server/api/go/internal/infra/blob/s3.go

@@ -182,7 +182,6 @@ func encryptAndMergeMetadata(content []byte, userKEK []byte, metadata map[string
 	if err != nil {
 		return nil, nil, fmt.Errorf("encrypt data: %w", err)
 	}
-	// Merge encryption metadata into the existing metadata map
 	for k, v := range encMeta.MetadataToMap() {
 		metadata[k] = v
 	}
@@ -253,14 +252,12 @@ func (u *S3Deps) uploadWithDedup(
 	datePrefix := time.Now().UTC().Format("2006/01/02")
 	key := fmt.Sprintf("%s/%s/%s%s", keyPrefix, datePrefix, sumHex, ext)
 
-	// Read body into bytes for potential encryption
 	var bodyBuf bytes.Buffer
 	if _, err := io.Copy(&bodyBuf, body); err != nil {
 		return nil, fmt.Errorf("read body: %w", err)
 	}
 	uploadBytes := bodyBuf.Bytes()
 
-	// Encrypt if userKEK provided
 	var encErr error
 	uploadBytes, metadata, encErr = encryptAndMergeMetadata(uploadBytes, userKEK, metadata)
 	if encErr != nil {
@@ -535,7 +532,6 @@ func (u *S3Deps) EncryptObject(ctx context.Context, key string, userKEK []byte)
 		return fmt.Errorf("encrypt: %w", err)
 	}
 
-	// Merge encryption metadata
 	for k, v := range encMeta.MetadataToMap() {
 		metadata[k] = v
 	}
@@ -572,9 +568,7 @@ func (u *S3Deps) DecryptObject(ctx context.Context, key string, userKEK []byte)
 		return fmt.Errorf("decrypt: %w", err)
 	}
 
-	// Remove encryption metadata
-	delete(metadata, "enc-algo")
-	delete(metadata, "enc-dek-user")
+	encryptionpkg.ClearEncryptionMetadata(metadata)
 
 	input := &s3.PutObjectInput{
 		Bucket:      aws.String(u.Bucket),
@@ -621,8 +615,7 @@ func (u *S3Deps) RewrapObjectDEK(ctx context.Context, key string, oldKEK, newKEK
 		return nil
 	}
 
-	// Update metadata
-	metadata["enc-dek-user"] = newWrapped
+	metadata[encryptionpkg.MetaKeyDEKUser] = newWrapped
 
 	// CopyObject to update metadata in-place
 	source := u.Bucket + "/" + key

src/server/api/go/internal/infra/crypto/envelope_test.go

@@ -248,18 +248,6 @@ func TestRewrapDEK_BothKEKsFail(t *testing.T) {
 	}
 }
 
-func TestEncodeDecodeBase64(t *testing.T) {
-	original := []byte("hello base64 round trip")
-	encoded := EncodeBase64(original)
-	decoded, err := DecodeBase64(encoded)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !bytes.Equal(original, decoded) {
-		t.Fatal("decoded should match original")
-	}
-}
-
 func TestMetadataMapRoundTrip(t *testing.T) {
 	meta := &EncryptedMeta{
 		Algo:           "AES-256-GCM",

src/server/api/go/internal/infra/crypto/service.go

@@ -44,6 +44,13 @@ func GenerateMasterKey() ([]byte, error) {
 	return GenerateDEK() // same size: 32 bytes
 }
 
+const (
+	// MetaKeyAlgo is the S3 metadata key for the encryption algorithm.
+	MetaKeyAlgo = "enc-algo"
+	// MetaKeyDEKUser is the S3 metadata key for the user-wrapped DEK.
+	MetaKeyDEKUser = "enc-dek-user"
+)
+
 // EncryptedMeta holds the metadata stored alongside an encrypted S3 object.
 type EncryptedMeta struct {
 	Algo           string // "AES-256-GCM"
@@ -130,33 +137,29 @@ func RewrapDEK(meta *EncryptedMeta, oldUserKEK, newUserKEK []byte) (string, erro
 	return base64.StdEncoding.EncodeToString(newWrapped), nil
 }
 
-// EncodeBase64 encodes bytes to standard base64 string.
-func EncodeBase64(data []byte) string {
-	return base64.StdEncoding.EncodeToString(data)
-}
-
-// DecodeBase64 decodes a standard base64 string to bytes.
-func DecodeBase64(s string) ([]byte, error) {
-	return base64.StdEncoding.DecodeString(s)
-}
-
 // MetadataToMap converts EncryptedMeta to S3-compatible metadata map.
 func (m *EncryptedMeta) MetadataToMap() map[string]string {
 	return map[string]string{
-		"enc-algo":     m.Algo,
-		"enc-dek-user": m.UserWrappedDEK,
+		MetaKeyAlgo:    m.Algo,
+		MetaKeyDEKUser: m.UserWrappedDEK,
 	}
 }
 
+// ClearFromMap removes encryption metadata keys from the given map.
+func ClearEncryptionMetadata(metadata map[string]string) {
+	delete(metadata, MetaKeyAlgo)
+	delete(metadata, MetaKeyDEKUser)
+}
+
 // MetadataFromMap extracts EncryptedMeta from S3 object metadata.
 // Returns nil if the object is not encrypted (no enc-algo key).
 func MetadataFromMap(metadata map[string]string) *EncryptedMeta {
-	algo, ok := metadata["enc-algo"]
+	algo, ok := metadata[MetaKeyAlgo]
 	if !ok || algo == "" {
 		return nil
 	}
 	return &EncryptedMeta{
 		Algo:           algo,
-		UserWrappedDEK: metadata["enc-dek-user"],
+		UserWrappedDEK: metadata[MetaKeyDEKUser],
 	}
 }

src/server/core/acontext_core/infra/crypto.py

@@ -19,11 +19,6 @@
 KEY_SIZE = 32  # AES-256
 NONCE_SIZE = 12  # AES-GCM nonce
 
-# Must match Go constants in internal/infra/crypto/service.go
-_USER_KEK_SALT = b"acontext-user-kek"
-_USER_KEK_INFO = b"acontext envelope encryption user KEK"
-
-
 def derive_kek(secret: bytes, salt: bytes, info: bytes) -> bytes:
     """Derive a KEK using HKDF-SHA256 (compatible with Go's golang.org/x/crypto/hkdf)."""
     if not secret:
@@ -40,11 +35,15 @@ def derive_kek(secret: bytes, salt: bytes, info: bytes) -> bytes:
 def derive_user_kek(api_key_raw: str, pepper: str) -> bytes:
     """Derive the user KEK from the raw API key and pepper.
 
-    Mirrors the Go implementation: HKDF-SHA256 over (apiKeyRaw + pepper)
-    with userKEKSalt and userKEKInfo.
+    Must match Go's DeriveUserKEK in internal/infra/crypto/service.go:
+      secret = (authSecret + pepper)
+      salt   = (pepper + "-master-key-wrap")
+      info   = (pepper + " master key wrapping")
     """
     secret = (api_key_raw + pepper).encode()
-    return derive_kek(secret, _USER_KEK_SALT, _USER_KEK_INFO)
+    salt = (pepper + "-master-key-wrap").encode()
+    info = (pepper + " master key wrapping").encode()
+    return derive_kek(secret, salt, info)
 
 
 def generate_dek() -> bytes: