Add field-level encryption for verifier secrets and webhook secrets at rest in src/lib/encryption.ts

[1nonlypiece]

📌 Description

Several sensitive columns are stored in plaintext: webhook subscriber secrets,
and potentially verifier callback credentials. API keys are hashed (not
reversible), but webhook HMAC secrets must remain reversible to re-sign, so
hashing is not an option — they need encryption at rest. There is no shared
envelope-encryption helper today.

Goal: reversible secrets are encrypted at rest with a rotatable key,
decrypted only in memory at use time.

🎯 Requirements and Context

• src/lib/encryption.ts provides encryptField/decryptField using
  authenticated encryption (AES-256-GCM) with a key resolved from
  src/config/env.ts (FIELD_ENCRYPTION_KEY), supporting key-id tagging for
  rotation.
• Stored ciphertext carries the key id so old data decrypts after rotation.
• Applied to webhook secrets (and any other reversible secret columns).
• Decryption failures are surfaced clearly, never silently returning ciphertext.

🛠️ Suggested Execution

1. Create a branch

git checkout -b feature/field-encryption-at-rest

2. Implement changes

• Add src/lib/encryption.ts and wire it into webhook secret read/write.
• Add FIELD_ENCRYPTION_KEY(s) to env validation.
• Document key rotation in docs/security-ci.md (or a new doc).

3. Test and commit

• Add src/tests/encryption.test.ts covering round-trip, tamper detection
  (GCM auth failure), key-id rotation decrypt, and missing-key startup failure.
• Run bun test src/tests/encryption.test.ts.
• Edge cases: tampered ciphertext, wrong key, rotated key, empty plaintext.

Example commit message

security: AES-256-GCM field encryption at rest for reversible secrets

✅ Guidelines

• Minimum 95% test coverage on new/changed lines.
• Document the key-rotation procedure.
• Timeframe: 96 hours.

🏷️ Labels

type-security · area-backend · type-feature · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN

💬 Community & Support

• Join the Disciplr contributor Discord: https://discord.gg/xvNAvMJf
• Introduce yourself before starting to avoid duplicate work.

[Killerjunior]

@Killerjunior has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer, I have read and understood the issue requirements and checked the necessary documentation. I’m confident I can work on this task effectively and deliver a proper solution.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Killerjunior to this issue.

[githoboman]

@githoboman has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello would love to work on this issue am a full stack blockchain dev

ℹ️ Repo Maintainers: To accept this application, review their application or assign @githoboman to this issue.

[drips-wave]

Congratulations, @githoboman! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @githoboman: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[grantfox-oss]

🦊 GrantFox — @githoboman has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #683)
2. Your PR will be reviewed by the Disciplr-Org maintainers

Good luck! Track your progress on GrantFox.