feat: Add encrypted Groq BYOK credential storage and resolution#418
Open
NirmalSingh-09 wants to merge 1 commit into
Open
feat: Add encrypted Groq BYOK credential storage and resolution#418NirmalSingh-09 wants to merge 1 commit into
NirmalSingh-09 wants to merge 1 commit into
Conversation
|
@NirmalSingh-09 is attempting to deploy a commit to the Adarsh's projects Team on Vercel. A member of the Team first needs to authorize it. |
MRIARC-08
requested changes
Jun 25, 2026
MRIARC-08
left a comment
MRIARC-08
left a comment
Owner
There was a problem hiding this comment.
@NirmalSingh-09 I can’t review or merge this one yet because it now conflicts with current main in src/prisma/schema.prisma.
Main has picked up new Prisma schema changes from recently merged PRs, so please rebase this branch on the latest main, resolve the schema conflict, regenerate Prisma/lockfile output only if needed, and push the result.
After that I’ll recheck the credential encryption and response-sanitization behavior.
MRIARC-08
added
gssoc
NirmalSingh-09
force-pushed
the
feat/encrypted-groq-byok-issue-368
branch
from
0b8429f to
8ede656
Compare
Contributor
Author
|
@MRIARC-08 Rebased onto latest upstream main and resolved the schema.prisma conflict. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #368
What this PR does
Implements encrypted Groq BYOK (Bring Your Own Key) credential storage so user API keys are never persisted in plaintext.
Changes
src/prisma/schema.prisma — adds ProviderCredential model with ciphertext, keyVersion, maskedSuffix, revocation state
src/lib/crypto.ts — AES-256-GCM envelope encryption (random data key per credential, encrypted with master key)
src/lib/env.ts — adds CREDENTIAL_MASTER_KEY validation
src/modules/credentials/ — service, controller, types, index
src/app/api/credentials/ — POST /api/credentials, GET /api/credentials, DELETE /api/credentials/:id
src/lib/crypto.test.ts — 6 passing tests verifying encrypt/decrypt, no plaintext leakage, random IVs
Security guarantees
Plaintext keys are never persisted — only ciphertext stored in DB
API responses expose only masked suffix (last 4 chars)
resolveForInternalUse is server-side only — never called from client or queues
Migration note: requires CREDENTIAL_MASTER_KEY (min 32 chars) in .env