fix: close three encryption safety gaps

1. Block legacy (v1) key rotation on encrypted projects — rotating
   without a master key would generate a new one, orphaning all S3 DEKs.
2. Hard-fail on invalid KEK in session_message.py (was soft-fail with
   LOG.warning, now LOG.error + return) to match skill_learner.py.
3. Remove EncryptProject retry guard — the 400 on already-enabled
   projects blocked crash recovery despite EncryptObject being idempotent.

Author: GenerQAQ

src/server/api/go/internal/modules/handler/admin.go

@@ -248,10 +248,11 @@ func (h *AdminHandler) EncryptProject(c *gin.Context) {
 		return
 	}
 
-	if project.EncryptionEnabled {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("project encryption is already enabled", nil))
-		return
-	}
+	// No early-return if EncryptionEnabled is already true — allow idempotent
+	// retry so that partial failures (crash after flag set, before all objects
+	// encrypted) can be recovered by re-calling this endpoint.
+	// EncryptObject skips already-encrypted objects, and the DB UPDATE is a no-op
+	// when the flag is already true.
 
 	// Set encryption_enabled = true FIRST for crash safety.
 	// If we crash after this but before encrypting all objects, reads will use KEK
@@ -387,6 +388,16 @@ func (h *AdminHandler) RotateProjectSecretKey(c *gin.Context) {
 	// Get the current KEK (master_key) from context — nil for legacy keys.
 	masterKey := middleware.GetUserKEK(c)
 
+	// Guard: if the project has encryption enabled, we MUST have the current
+	// master_key to re-wrap it.  Legacy (v1) tokens don't carry a master_key,
+	// so rotating them would generate a brand-new key and orphan all existing
+	// S3 DEKs — irreversible data loss.
+	if project.EncryptionEnabled && masterKey == nil {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr(
+			"cannot rotate: project has encryption enabled but current API key has no embedded master key; re-issue a v2 key first", nil))
+		return
+	}
+
 	// Generates new auth_secret, re-wraps the same master_key.
 	output, err := h.projectSvc.RotateSecretKey(c.Request.Context(), project.ID, masterKey)
 	if err != nil {

src/server/core/acontext_core/service/session_message.py

@@ -87,13 +87,16 @@ async def insert_new_message(body: InsertNewMessage, message: Message):
     wide["lock_retries"] = body.lock_retry_count
     wide["process_rightnow"] = body.process_rightnow
 
-    # Decode user KEK from base64 if present in the message
+    # Decode user KEK from base64 if present in the message.
+    # Hard-fail on invalid KEK — continuing with None would silently store
+    # plaintext, inconsistent with skill_learner.py's hard-fail pattern.
     user_kek_bytes = None
     if body.user_kek:
         try:
             user_kek_bytes = base64.b64decode(body.user_kek)
         except Exception:
-            LOG.warning("session_message.invalid_user_kek", session_id=str(body.session_id))
+            LOG.error("session_message.invalid_user_kek", session_id=str(body.session_id))
+            return
 
     try:
         if pending_count > (