refactor: remove dot-separated token format, keep only compact + legacy

The dot-separated format (sk-ac-{auth}.{encrypted_mk}) was never
deployed. Remove it to simplify the codebase:

- Remove WrapMasterKey/UnwrapMasterKey (AES-GCM token wrapping)
- Remove EncryptedMasterKey field from ParsedToken
- Remove dot-parsing branch in ParseProjectToken
- Remove dot-format test cases
- Remove generateRandomSecret (unused after compact format)
- Update Python E2E tests to use compact format with AES Key Wrap

S3 envelope encryption (WrapDEK/UnwrapDEK via AES-GCM) is unchanged.

Author: GenerQAQ

src/server/api/go/internal/infra/crypto/envelope_test.go

@@ -288,43 +288,6 @@ func TestDeriveUserKEK_Deterministic(t *testing.T) {
 	}
 }
 
-func TestWrapUnwrapMasterKey(t *testing.T) {
-	wk, _ := DeriveUserKEK("auth-secret", "pepper")
-	mk, err := GenerateMasterKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	encB64, err := WrapMasterKey(wk, mk)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if encB64 == "" {
-		t.Fatal("encrypted master key should not be empty")
-	}
-
-	unwrapped, err := UnwrapMasterKey(wk, encB64)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !bytes.Equal(mk, unwrapped) {
-		t.Fatal("unwrapped master key should match original")
-	}
-}
-
-func TestUnwrapMasterKey_WrongWrappingKey(t *testing.T) {
-	wk1, _ := DeriveUserKEK("auth1", "pepper")
-	wk2, _ := DeriveUserKEK("auth2", "pepper")
-	mk, _ := GenerateMasterKey()
-
-	encB64, _ := WrapMasterKey(wk1, mk)
-
-	_, err := UnwrapMasterKey(wk2, encB64)
-	if err == nil {
-		t.Fatal("should fail with wrong wrapping key")
-	}
-}
-
 func TestMasterKeyAsKEK(t *testing.T) {
 	// master_key is used directly as KEK for wrapping S3 DEKs
 	mk, _ := GenerateMasterKey()
@@ -344,41 +307,6 @@ func TestMasterKeyAsKEK(t *testing.T) {
 	}
 }
 
-func TestMasterKeyRewrapPreservesDecryption(t *testing.T) {
-	// Simulate: old auth_secret → new auth_secret, same master_key
-	// S3 data should still decrypt with the same master_key
-	mk, _ := GenerateMasterKey()
-
-	// Encrypt data with master_key as KEK
-	plaintext := []byte("data that should survive auth rotation")
-	ciphertext, meta, _ := EncryptData(mk, plaintext)
-
-	// Re-wrap master_key with new auth_secret (simulating rotation)
-	oldWK, _ := DeriveUserKEK("old-auth", "pepper")
-	newWK, _ := DeriveUserKEK("new-auth", "pepper")
-
-	encB64, _ := WrapMasterKey(oldWK, mk)
-	unwrapped, _ := UnwrapMasterKey(oldWK, encB64)
-
-	// Re-wrap with new wrapping key
-	newEncB64, _ := WrapMasterKey(newWK, unwrapped)
-	rewrappedMK, _ := UnwrapMasterKey(newWK, newEncB64)
-
-	// master_key should be the same
-	if !bytes.Equal(mk, rewrappedMK) {
-		t.Fatal("master key should be preserved across auth rotation")
-	}
-
-	// S3 data should still decrypt
-	decrypted, err := DecryptData(rewrappedMK, ciphertext, meta)
-	if err != nil {
-		t.Fatal("data should decrypt with same master key after auth rotation:", err)
-	}
-	if !bytes.Equal(plaintext, decrypted) {
-		t.Fatal("decrypted should match plaintext")
-	}
-}
-
 func TestMetadataToMap_NoAdminDEK(t *testing.T) {
 	meta := &EncryptedMeta{
 		Algo:           "AES-256-GCM",

src/server/api/go/internal/infra/crypto/service.go

@@ -25,30 +25,6 @@ func DeriveUserKEK(authSecret, pepper string) ([]byte, error) {
 	return DeriveKEK(secret, salt, info)
 }
 
-// WrapMasterKey encrypts a 32-byte master key with a wrapping key derived from auth_secret.
-// Returns base64url-encoded ciphertext (nonce + encrypted master key).
-func WrapMasterKey(wrappingKey, masterKey []byte) (string, error) {
-	wrapped, err := WrapDEK(wrappingKey, masterKey)
-	if err != nil {
-		return "", fmt.Errorf("crypto: wrap master key: %w", err)
-	}
-	return base64.RawURLEncoding.EncodeToString(wrapped), nil
-}
-
-// UnwrapMasterKey decrypts a base64url-encoded encrypted master key using the wrapping key.
-// Returns the raw 32-byte master key.
-func UnwrapMasterKey(wrappingKey []byte, encryptedMasterKeyB64 string) ([]byte, error) {
-	wrapped, err := base64.RawURLEncoding.DecodeString(encryptedMasterKeyB64)
-	if err != nil {
-		return nil, fmt.Errorf("crypto: decode encrypted master key: %w", err)
-	}
-	mk, err := UnwrapDEK(wrappingKey, wrapped)
-	if err != nil {
-		return nil, fmt.Errorf("crypto: unwrap master key: %w", err)
-	}
-	return mk, nil
-}
-
 // GenerateMasterKey generates a random 32-byte master key for use as a KEK.
 func GenerateMasterKey() ([]byte, error) {
 	return GenerateDEK() // same size: 32 bytes

src/server/api/go/internal/middleware/auth.go

@@ -148,29 +148,15 @@ func ProjectAuth(cfg *config.Config, db *gorm.DB, rdb *redis.Client) gin.Handler
 		c.Set("project", project)
 		SetWideEventField(c, "project_id", project.ID.String())
 
-		// Derive KEK: unwrap master_key from token if present.
-		// Compact tokens carry AES-KW wrapped master key; v1 tokens carry AES-GCM wrapped.
-		// Legacy keys without encrypted_master_key have no encryption support.
+		// Derive KEK from compact token if present.
+		// Legacy keys without CompactRaw have no encryption support.
 		if parsed.CompactRaw != "" {
-			// Compact format: UnpackCompactToken handles derivation + AES-KW unwrap
 			_, userKEK, kerr := encryptionpkg.UnpackCompactToken(parsed.CompactRaw, cfg.Root.SecretPepper)
 			if kerr != nil {
 				c.AbortWithStatusJSON(http.StatusUnauthorized, serializer.AuthErr("invalid API key: failed to unwrap compact token"))
 				return
 			}
 			c.Set("user_kek", userKEK)
-		} else if parsed.EncryptedMasterKey != "" {
-			wrappingKey, wkErr := encryptionpkg.DeriveUserKEK(parsed.AuthSecret, cfg.Root.SecretPepper)
-			if wkErr != nil {
-				c.AbortWithStatusJSON(http.StatusInternalServerError, serializer.DBErr("derive wrapping key", wkErr))
-				return
-			}
-			userKEK, kerr := encryptionpkg.UnwrapMasterKey(wrappingKey, parsed.EncryptedMasterKey)
-			if kerr != nil {
-				c.AbortWithStatusJSON(http.StatusUnauthorized, serializer.AuthErr("invalid API key: failed to unwrap master key"))
-				return
-			}
-			c.Set("user_kek", userKEK)
 		}
 
 		c.Next()

src/server/api/go/internal/modules/service/project.go

@@ -3,7 +3,6 @@ package service
 import (
 	"context"
 	"crypto/rand"
-	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"net/http"
@@ -58,15 +57,6 @@ type UpdateSecretKeyOutput struct {
 	SecretKey string `json:"secret_key"`
 }
 
-// generateRandomSecret generates a random secret key with the specified byte length
-func generateRandomSecret(byteLength int) (string, error) {
-	b := make([]byte, byteLength)
-	if _, err := rand.Read(b); err != nil {
-		return "", err
-	}
-	return base64.RawURLEncoding.EncodeToString(b), nil
-}
-
 func (s *projectService) Create(ctx context.Context, configs map[string]interface{}) (*CreateProjectOutput, error) {
 	pepper := s.cfg.Root.SecretPepper
 	if pepper == "" {

src/server/api/go/internal/pkg/utils/tokens/tokens.go

@@ -25,20 +25,17 @@ func ParseToken(raw, prefix string) (secret string, ok bool) {
 
 // ParsedToken holds the parsed components of a project API key.
 // Supported formats:
-//   - Compact: sk-ac-{base64url(0x01 | auth_16B | aes_kw(mk))} — no dot, CompactRaw set
-//   - V1:     sk-ac-{auth_secret}.{encrypted_master_key} — dot-separated
-//   - Legacy: sk-ac-{auth_secret} — no dot, no encryption
+//   - Compact: sk-ac-{base64url(0x01 | auth_16B | aes_kw(mk))} — 76 chars, CompactRaw set
+//   - Legacy: sk-ac-{auth_secret} — plain text, no encryption
 type ParsedToken struct {
-	AuthSecret         string // raw auth secret (used for HMAC lookup / Argon2 verification)
-	EncryptedMasterKey string // base64url-encoded encrypted master key (empty for legacy/compact)
-	CompactRaw         string // non-empty if compact format detected (the full base64url body)
+	AuthSecret string // auth secret string (used for HMAC lookup / Argon2 verification)
+	CompactRaw string // non-empty if compact format detected (the full base64url body)
 }
 
 // ParseProjectToken parses a raw Bearer token into its components.
 // Formats (checked in order):
-//  1. Dot-separated: sk-ac-{auth_secret}.{encrypted_master_key}
-//  2. Compact: sk-ac-{base64url(0x01 | auth_16B | aes_kw_40B)} — 76 chars, no dot
-//  3. Legacy: sk-ac-{auth_secret} — no dot, no encryption
+//  1. Compact: sk-ac-{base64url(0x01 | auth_16B | aes_kw_40B)} — 76 chars
+//  2. Legacy: sk-ac-{auth_secret} — no encryption
 //
 // Returns ok=false if the prefix doesn't match.
 func ParseProjectToken(raw, prefix string) (parsed ParsedToken, ok bool) {
@@ -50,19 +47,9 @@ func ParseProjectToken(raw, prefix string) (parsed ParsedToken, ok bool) {
 		return ParsedToken{}, false
 	}
 
-	// Dot-separated format: {auth_secret}.{encrypted_master_key}
-	if idx := strings.IndexByte(body, '.'); idx > 0 && idx < len(body)-1 {
-		return ParsedToken{
-			AuthSecret:         body[:idx],
-			EncryptedMasterKey: body[idx+1:],
-		}, true
-	}
-
 	// Compact format: base64url(0x01 | auth_16B | aes_kw_40B) = 57 raw bytes = 76 base64url chars
-	// Detected by: no dot + correct base64url length + version byte 0x01
-	if !strings.Contains(body, ".") && len(body) == 76 {
+	if len(body) == 76 {
 		if decoded, err := base64.RawURLEncoding.DecodeString(body); err == nil && len(decoded) == 57 && decoded[0] == 0x01 {
-			// Extract auth_secret as hex for HMAC/Argon2 compatibility
 			authSecretHex := hex.EncodeToString(decoded[1:17])
 			return ParsedToken{
 				AuthSecret: authSecretHex,

src/server/api/go/internal/pkg/utils/tokens/tokens_test.go

@@ -71,36 +71,24 @@ func TestParseProjectToken(t *testing.T) {
 	prefix := "sk-ac-"
 
 	tests := []struct {
-		name    string
-		raw     string
-		want    ParsedToken
-		wantOK  bool
+		name       string
+		raw        string
+		wantAuth   string
+		wantCompact bool
+		wantOK     bool
 	}{
 		{
-			name: "new format with dot separator",
-			raw:  "sk-ac-authsecret123.encryptedmasterkey456",
-			want: ParsedToken{
-				AuthSecret:         "authsecret123",
-				EncryptedMasterKey: "encryptedmasterkey456",
-			},
-			wantOK: true,
+			name:     "legacy format",
+			raw:      "sk-ac-somelegacysecretvalue",
+			wantAuth: "somelegacysecretvalue",
+			wantOK:   true,
 		},
 		{
-			name: "legacy format without dot",
-			raw:  "sk-ac-somelegacysecretvalue",
-			want: ParsedToken{
-				AuthSecret: "somelegacysecretvalue",
-			},
-			wantOK: true,
-		},
-		{
-			name: "new format with base64url chars including dashes",
-			raw:  "sk-ac-abc-def_ghi.xyz-uvw_123",
-			want: ParsedToken{
-				AuthSecret:         "abc-def_ghi",
-				EncryptedMasterKey: "xyz-uvw_123",
-			},
-			wantOK: true,
+			name:       "compact format (76 chars)",
+			raw:        "sk-ac-AaGyw9Tl9qe4ydDh8qO0xdZNkrobQvwHWFRsnp5a3QtfbaDSDJQeRHxXPr4bGpc0g130EqBSjRNF",
+			wantAuth:   "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
+			wantCompact: true,
+			wantOK:     true,
 		},
 		{
 			name:   "wrong prefix",
@@ -118,29 +106,10 @@ func TestParseProjectToken(t *testing.T) {
 			wantOK: false,
 		},
 		{
-			name: "dot at end (no encrypted master key) → treated as legacy",
-			raw:  "sk-ac-authsecret.",
-			want: ParsedToken{
-				AuthSecret: "authsecret.",
-			},
-			wantOK: true,
-		},
-		{
-			name: "dot at start (no auth secret) → treated as legacy",
-			raw:  "sk-ac-.encryptedmasterkey",
-			want: ParsedToken{
-				AuthSecret: ".encryptedmasterkey",
-			},
-			wantOK: true,
-		},
-		{
-			name: "multiple dots uses first dot as separator",
-			raw:  "sk-ac-auth.enc.extra",
-			want: ParsedToken{
-				AuthSecret:         "auth",
-				EncryptedMasterKey: "enc.extra",
-			},
-			wantOK: true,
+			name:     "short token treated as legacy",
+			raw:      "sk-ac-short",
+			wantAuth: "short",
+			wantOK:   true,
 		},
 	}
 
@@ -149,8 +118,12 @@ func TestParseProjectToken(t *testing.T) {
 			parsed, ok := ParseProjectToken(tt.raw, prefix)
 			assert.Equal(t, tt.wantOK, ok)
 			if ok {
-				assert.Equal(t, tt.want.AuthSecret, parsed.AuthSecret)
-				assert.Equal(t, tt.want.EncryptedMasterKey, parsed.EncryptedMasterKey)
+				assert.Equal(t, tt.wantAuth, parsed.AuthSecret)
+				if tt.wantCompact {
+					assert.NotEmpty(t, parsed.CompactRaw)
+				} else {
+					assert.Empty(t, parsed.CompactRaw)
+				}
 			}
 		})
 	}

src/server/tests/e2e/test_encryption.py

@@ -24,9 +24,9 @@
 import asyncpg
 import httpx
 import pytest
-from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.keywrap import aes_key_wrap
 from pydantic import BaseModel
 
 # Reuse infra from conftest
@@ -52,11 +52,12 @@
 
 
 # ---------------------------------------------------------------------------
-# Crypto helpers — must match Go's DeriveUserKEK / WrapMasterKey
+# Crypto helpers — must match Go's compact token format
 # ---------------------------------------------------------------------------
 
 KEY_SIZE = 32
-NONCE_SIZE = 12
+COMPACT_AUTH_SECRET_LEN = 16
+COMPACT_VERSION = 0x01
 
 
 def _derive_user_kek(auth_secret: str, pepper: str) -> bytes:
@@ -68,26 +69,23 @@ def _derive_user_kek(auth_secret: str, pepper: str) -> bytes:
     return hkdf.derive(secret)
 
 
-def _wrap_master_key(wrapping_key: bytes, master_key: bytes) -> str:
-    """Encrypt master_key with wrapping_key via AES-256-GCM, return base64url."""
-    nonce = os.urandom(NONCE_SIZE)
-    aesgcm = AESGCM(wrapping_key)
-    ct = aesgcm.encrypt(nonce, master_key, None)
-    return base64.urlsafe_b64encode(nonce + ct).rstrip(b"=").decode()
-
-
 def _generate_project_token(pepper: str) -> tuple[str, str, str]:
-    """Generate a project token with embedded encrypted master key.
+    """Generate a compact project token with AES Key Wrap.
 
-    Returns (auth_secret, bearer_token, hmac_hex).
+    Format: base64url(0x01 | auth_secret_16B | aes_kw(master_key_32B))
+    Returns (auth_secret_hex, bearer_token, hmac_hex).
     """
-    auth_secret = base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=").decode()
+    auth_secret_raw = os.urandom(COMPACT_AUTH_SECRET_LEN)
+    auth_secret_hex = auth_secret_raw.hex()
     master_key = os.urandom(KEY_SIZE)
-    wrapping_key = _derive_user_kek(auth_secret, pepper)
-    encrypted_mk_b64 = _wrap_master_key(wrapping_key, master_key)
-    bearer_token = f"{TEST_TOKEN_PREFIX}{auth_secret}.{encrypted_mk_b64}"
-    token_hmac = generate_hmac(auth_secret, pepper)
-    return auth_secret, bearer_token, token_hmac
+    wrapping_key = _derive_user_kek(auth_secret_hex, pepper)
+    wrapped_mk = aes_key_wrap(wrapping_key, master_key)
+    # Pack: version | auth_secret | wrapped_master_key
+    buf = bytes([COMPACT_VERSION]) + auth_secret_raw + wrapped_mk
+    compact_body = base64.urlsafe_b64encode(buf).rstrip(b"=").decode()
+    bearer_token = f"{TEST_TOKEN_PREFIX}{compact_body}"
+    token_hmac = generate_hmac(auth_secret_hex, pepper)
+    return auth_secret_hex, bearer_token, token_hmac
 
 
 # ---------------------------------------------------------------------------